EU council formally agrees to create new bloc-wide AML regulator with direct authority to review, penalize institutions

The Skinny:

  • After an agreement with finance ministers, the European Union will move forward in creating a bloc-wide financial crime compliance sentinel to directly oversee country regulators and financial institutions – with power to engage in direct reviews, request information and levy monetary penalties.
  • The agreement will form the foundation for more formal legal edicts expected to take force early next year.
  • The effort will be widely scrutinzed by global watchdog groups and partner world powers after embarrassing Baltic and Nordic banking scandals shattered the perception of strong union anti-money laundering and counter-financing of terrorism (AML/CFT) oversite with the estimated laundering of hundreds of billions of dollars tied to high-risk regions, like Russia.  
  • The Council also “supports setting up an EU-level supervisor with direct supervisory powers over a selected number of high-risk obliged entities, as well as the authority to take over supervision from a national supervisor in clearly defined and exceptional situations,” according to the ministers, a drastic move that would likely embarrass countries and shock others into line.

By Brian Monroe
bmonroe@acfcs.org
November 13, 2020 

The European Union after approval from member state finance members will move forward in creating a bloc-wide financial crime compliance sentinel to directly oversee country regulators and financial institutions – with power to engage in direct reviews, request information and levy monetary penalties.

The agreement at the EU Council will form the foundation for more formal legal edicts expected to take force early next year, a widely-watched initiative by global watchdog groups and partner world powers after embarrassing Baltic and Nordic banking scandals shattered the perception of strong union anti-money laundering and counter-financing of terrorism (AML/CFT) oversite with the estimated laundering of hundreds of billions of dollars tied to high-risk regions, like Russia.  

The Council also “supports setting up an EU-level supervisor with direct supervisory powers over a selected number of high-risk obliged entities, as well as the authority to take over supervision from a national supervisor in clearly defined and exceptional situations,” according to the ministers, a drastic move that would likely embarrass countries and shock others into line.

The push for making changes in all of these areas is clearly a response to the ever-widening and still-rumbling Danske Bank scandal.

The scandal has seen Denmark’s largest lender facing a plethora of probes, investigations, accusations and recriminations in several countries for its monitoring, reporting and handling of some 200 billion euros, or more than $224 billion, in potentially suspicious transactions tied to Russia between 2007 and 2015.

The scandal has sacked some top leaders at banks in Denmark and Sweden, snared Deutsche Bank and even cast regulators in the regions in harsh lights, even as these financial watchdogs work to levy statement-making penalties against the institutions involved. 

But the weaknesses in the EU that allowed such scandals could be getting the attention they deserve.

“The fight against money laundering and terrorism financing is a top priority for the German presidency,” said Olaf Scholz, Germany’s Federal Minister of Finance and Vice Chancellor, in a statement.

“Recent alleged money laundering cases, including in the EU, underline the urgency to act,” he said. “More harmoni[z]ed rules and EU-level supervision will allow us to be more effective and to strengthen the EU’s anti-money laundering framework. It is an important sign that we all stand united for tough anti-money laundering measures.”

For new EU AML authority, more power, communication, coordination

The Council missive calls on the EU Commission to prioritize work in creating a “single rulebook” for AML oversite that spans countries and, with the expectations in place, the establishment of an EU level AML/CFT supervision body that would be interwoven with country financial intelligence units (FIUs).

The commission must also “ensure that the EU AML/CFT supervisor, as a new competent authority, is integrated fully into cooperation structures between all relevant institutions at EU and national level, such as national competent authorities, the FIUs and their the coordination and support mechanism,” according to the council.

In tandem, the new AML supervisor must be coordinating and in communication with “law enforcement authorities, other relevant public authorities across the EU as well as EU institutions, including the European Central Bank (ECB) as prudential supervisor in relevant cases and other authorities and agencies such as the European Supervisory Authorities (ESAs), the European Public Prosecutor´s Office (EPPO) and Europol.”

The nascent authority could also find itself in the middle of country-level tug of wars.

“In particular with regard to the flow of information between home and host supervisory authorities, the EU supervisor should play a mediating role in conflicts,” according to the council.

With great AML oversite power, comes great responsibility – to levy penalties

The still-coagulating body will have broad powers at the bloc and country level.

The responsibilities of the EU AML/CFT supervisor should “include the right to general inspections – including requesting information, examining records and conducting on-site and off-site supervision – as well as the right to impose supervisory measures and administrative sanctions,” according to the council.

These would include examining large banking groups – those operating in multiple member states – finding gaps and perceived failings and even authority to “mandate a compliance officer, to require regular reporting, and to issue direct instructions with regard to enhanced due diligence or high-risk transactions.”

When finalized, the new authority could potentially act more quickly to pressure change, at the country level or with precision-guided forays into individual institutions, which would be an improvement over the clunky, time-consuming and multi-step process to foster compliance used currently.

For example, when it comes to countries tarrying on adopting EU’s Fifth Anti-Money Laundering Directive (AMLD5) into national law, the commission has to first review a country, then send a reasoned opinion, then refer the matter to the EU Court of Justice and then can finally start levying monetary penalties for non-compliance.

In February, right around the time the COVID-19 pandemic started to take hold, the EU Commission sent letters of formal notice to Cyprus, Hungary, the Netherlands, Portugal, Romania, Slovakia, Slovenia and Spain for not having notified any implementation measures for the updated AML directive – rules updated more than two years ago with a January 2020 deadline. 

More recently, at the tale end of last month, the commission singled out only Cyprus, sending the country a “reasoned opinion” to transpose the AML directive.

“To date, the Cypriot authorities have not notified the Commission of any transposition measure,” the commission stated in its October infringement proceedings package.   

“Legal gaps in one Member State have an impact on Europe as a whole,” the commission said. “The fight against money laundering and terrorism financing is instrumental to ensure financial stability and security in Europe.”

Even as pandemic rages on, authorities won’t let countries use it as an excuse on AML

Officials are also not letting countries off the hook because of the pandemic.

“Fighting money laundering is as relevant now as before the coronavirus pandemic,” the commission stated. “In fact, coronavirus-related crime and the laundering of its proceeds is on the rise, according to Europol and national law enforcement authorities.” 

Ensuring timely and correct transposition of the existing AML rules is one of the actions envisaged by the Commission in its six-point Action Plan published in May.

“Without a satisfactory response from Cyprus within the next two months, the Commission may decide to refer the case to the Court of Justice of the European Union,” the commission said.

That could be a greater challenge with more pressure coming from the newly minted EU AML supervisor, a looming deadline for some, but welcome change for others.

“I am delighted that finance ministers adopted conclusions on the Commission’s Anti-Money Laundering Action Plan of May 2020,” EU Commission Executive Vice-President Valdis Dombrovskis said, adding that effort will be an “ambitious basis for preparing a package of legal proposals on AML in the first quarter of 2021.”

“Money-laundering erodes trust in our banks and financial institutions, in our authorities and governments,” he said. “Dirty money is highly mobile, and this makes it a complex challenge to deal with. This is why we need to address this issue consistently at the EU level and we are determined to do so.”

For Abrigo’s Andres Tapia, flair for floral design, composition translates easily to skills needed to craft AML programs, balance risks, resources, results

The Skinny:

  • While colleagues might know Andres Tapia as being an artist when it comes to designing fincrime compliance programs, a challenge that requires balancing a cornucopia of precarious variables, in college he was known for his penchnat for agricultrual aesthetics.
  • But that duality – the ability to combine various seemingly disparate elements together and weave them into a functional, cohesive whole – has served him well over the past 17 years in the field of financial crime, leading to his current position as Senior Manager of Consulting at Abrigo, a compliance technology company focusing on community banks.
  • Tapia has also taken on some of the more arcane, technical and challenging parts of AML programs in the form of tuning and tweaking transaction monitoring systems, cajoling core banking systems and ensuring an unbroken continuum between both platforms.   
  • At the core, however, of being a respected professional in any given field is personal growth and realizing that while so much can seem out of your control, there is one thing that is governed by choice: attitude – a conceit that when employed has life-changing potential, he said.

By Brian Monroe
bmonroe@acfcs.org
November 9, 2020 

Andres Tapia will be the first to admit that when you meet him, a self-proclaimed “man’s man” who loves pumping iron, barbequing, football and NASCAR – basically everything the Southeast has to offer, you might not immediately think: frilly floral arrangements and agricultural artistry.

But that’s where you would be wrong.

The burly and square-jawed Florence, Ala.-resident learned that he had a softer side and an eye for verdant variations by accident – a duality that has served him well over the past 17 years in the field of financial crime, leading to his current position as Senior Manager of Consulting at Abrigo, a compliance technology company focusing on community banks.

On a lark in college, and because it helped fill a tight scholarly shedule spot, Tapia took a course in floral design.

Ironically, he not only didn’t wilt with his floral formations, he blossomed. So much so, in fact, he snared a scholarhship for the aesethetics of his arrangements.

But what is at the heart of floral design?

It is defined as the “art of using plant materials and flowers to create an eye-catching and balanced composition or display,” according to Wikipedia, with evidence of such practices going all the way back to ancient Egypt – a group known for being pretty good at building.

When it comes to the concepts of patience, planting seeds, growth, building up teams focused on effectiveness, balancing risks and resources and creating something with both form and function that passes inspection from rigorous reviewers in a very stressful environment, there are many parallels to the field of anti-money laundering (AML).

Tapia has overseen counter-crime teams and worked with community banks ranging in asset size from $1 billion to large regional banks of up to $125 billion in assets, crafting controls tied to retail banking, private banking, fraud, security, and BSA/AML compliance.

Prior to joining Abrigo, he managed multiple groups of compliance analysts and investigators at a financial institution along the US-Mexico border.

Tapia has also taken on some of the more arcane, technical and challenging parts of AML programs in the form of tuning and tweaking transaction monitoring systems, cajoling core banking systems and ensuring an unbroken continuum between both platforms.   

During this time, he gained experience with the U.S. banking sector’s most powerful and nitpicky regulator, the U.S. Treasury’s Office of the Comptroller of the Currency (OCC), consent orders, lookback projects, High Intensity Drug Trafficking Areas, High Intensity Financial Crime Areas, and “creating and motivating efficient teams,” he told ACFCS.  

He is also passionate about sharing the knowledge he has gained to help others.

In recent months, Tapia has offered insight in webinars on a potpouri of topics, including fraud, AML staffing, crypto, cannabis and more.

But capturing knowledge is only one aspect needed to rise in the field of financial crime.

“There are several attributes that make individuals successful in my opinion,” Tapia said. “The most important attributes to me are effective communication, an aptitude for learning and a humility to realize that you don’t know everything.”

Part and parcel of that effort is helping the next generation of professionals realize the potential they have in themselves.

“Helping young ambitious individuals accomplish their goals and objectives by spending time with them, listening, and providing guidance is tremendously rewarding as well,” Tapia said.

“Paying forward what others have done is something we all should be willing to do,” he added. “Very few people can achieve what they are capable of on their own, undoubtedly other people in our lives supported or guided us in our journey.”

At the core, however, of being a respected professional in any given field is personal growth and realizing that while so much can seem out of your control, there is one thing that is governed by choice: attitude – a conceit that when employed has life-changing potential.

“The remarkable thing is we have a choice every day regarding the attitude we embrace for that day,” he said, echoing the sentiments of noted theologian Charles Swindoll. “We cannot change our past… we cannot change the fact that people will act in a certain way. We cannot change the inevitable.”

The begs the question: what can we do?

“The only thing we can do is play the one string we have, and that is our attitude… I am convinced that life is 10% what happens to me and 90% how I react to it.”

Tapia was kind enough to share some of his insight on how he broke in the field and rose to key leadership positions and the infectious power of positivity, a bridge to allow personal and professional relationships to take root and harvest success, in our latest ACFCS Member Spotlight. 

Who inspires you?

My father-in-law is a missionary preacher. He has helped thousands of people through his outreach and work. He truly loves what he does which shows. His initiatives will continue to have an impact on generations of individuals globally. He is also a terrific role model for my kiddos and the community at large.

My observations are that because he loves what he does, his tasks do not seem like work to him.

His positive attitude and ability to connect have allowed him to build long lasting relationships that have afforded him the ability to maximize the opportunity of his mission work. He is a true inspiration to me and many others.

What is one thing - industry-related or not - that you learned in the past month?

I recently watched “The Social Dilemma,” which was both fascinating and disturbing.

What fascinated me is how much psychology played a role in engineering social media platforms. It was also troubling learning about some of the negative effects/trends that have resulted from the addictive traits of these applications and how that has affected society in regards to depression, anxiety and suicide.

It is amazing how complex and precise these applications have become. However, I think we can and should do more as a society in demanding corporate ethical responsibility. This is now likely something that only regulation will be able to address.

What is something about you that not many people know?

I feel like I am a guy’s guy. I love to hunt, love to exercise, love all the things the South Eastern US has to offer like barbeques, football, and NASCAR. What most people don’t know that might not totally align with my personality is that I was awarded a scholarship for floral design.

In high school I was part of Future Farmers of America (FFA). In order to continue to be part of the organization and show livestock you had to be enrolled in an agriculture class.

I had already taken the other classes and floral design was the only one that would work with my schedule. Part of the class required us to participate in some competitions. I won a couple of those competitions and as a result, received a scholarship.

What do you do in your current role

I lead an amazing team of consultants responsible for calibrating and tuning our monitoring software platform, BAM+, for our customers.

In addition to assisting our clients with our software, we also help non-software customers with advisory offerings such as BSA/AML risk assessments, policy and procedure reviews, gap analysis, BSA/AML mentoring, training, or interim roles for BSA and AML departments.

In addition to my primary responsibilities, I also function as a subject matter expert at Abrigo for my internal teams such as product, marketing, sales, and support.

What does your career trajectory in financial crime look like?

As the risk management space continues to evolve in financial institutions, into more complex technology-based units, I would like to continue to lead these transformation initiatives through fintech applications.

I am naturally curious and love to learn and help, so this is an ideal space for me to be in. My ideal career trajectory would continue to provide me with exposure opportunities in different functional areas of the fintech organization.

What is the best advice you have ever received?

Early on in my career a mentor of mine shared “Attitude” by Charles Swindoll with me.

“The longer I live, the more I realize the impact of attitude on life. Attitude, to me, is more important than facts. It is more important than the past, than education, than money, than circumstances, than failures, than successes, than what other people think, say or do. It is more important than appearance, giftedness or skill.

“It will make or break a company… a church… a home. The remarkable thing is we have a choice every day regarding the attitude we embrace for that day.

“We cannot change our past… we cannot change the fact that people will act in a certain way. We cannot change the inevitable. The only thing we can do is play the one string we have, and that is our attitude… I am convinced that life is 10% what happens to me and 90% how I react to it.”

And so it is with you…we are “in charge of our Attitudes.”

This concept had a dramatic effect on me. To test this concept out early on in my career, when I would greet someone, I would let them know that I was living the dream. Usually the person that I was talking to would laugh and we would start the conversation on a positive note.

Starting conversations on positive notes has allowed me to build relationships more quickly and in turn I have had more success in my interactions with customers and colleagues.

Because of this, I still tell everyone in my initial greeting that I am living the dream.

What would you say are the most important attributes for someone in your position to succeed?

There are several attributes that make individuals successful in my opinion. The most important attributes to me are effective communication, an aptitude for learning and a humility to realize that you don’t know everything.

Effective communication is critical to be able to convey your message and influence others. The ability and desire to learn allows your sphere of influence to grow and understand other perspectives.

This in turn makes your decisions and actions more effective by incorporating everyone’s objectives into the desired outcomes.

How has (compliance, investigations, etc.) changed and evolved during your career?

When I first started in BSA/AML and fraud, most of the potentially suspicious activity and fraud was related to cash structuring or check kiting.

As we have become more mature as an industry and have developed tools to identify and prevent nascent frauds or illegal activity, the number of typologies has increased dramatically. Bad actors have just adapted.

I think the material differentiator is the availability of information for both good actors and bad ones.

The types of frauds we are seeing now are taking place both domestically and internationally and are impacting larger groups of victims.

Just think about the information available on the dark web such as: identification information, social security numbers, account numbers, credit card and debit card information – the world is getting smaller and scarier.

The availability of this private information to bad actors has caused an increase in scope of the roles for compliance and fraud professionals.

If we also take into consideration the new technology software applications have that includes Machine Learning and Artificial Intelligence, you either have to train yourselves or acquire that skill and bring it into the department to keep pace with the associated demands.

What do you see as the key financial crime challenges in your role or in the sector overall?

Our industry [must] rapidly adapt to new systemic risks that present themselves.

Case in point are cyber-attacks like ransomware, and COVID-19 pandemic fraud schemes.

Historically, we have been compartmentalized as siloed units, however the new risks presented have forced our subject matter experts to become influencers within our organization to ensure we are communicating effectively with law enforcement.

This forcing function has made us learn and collaborate with other functional units within our financial institutions to continue to combat financial crime and inform law enforcement in a timely fashion.

The ability to keep up with the pace of change while performing our daily task obligates us to rely on others for assistance. Being willing to reinvent yourself to adjust to the directive changes is by far the biggest challenge we face.

What motivated you to become a financial crime compliance professional?

I have always been intrigued with law enforcement. My personality also has drawn me in to this profession.

I enjoy helping folks and taking care of teams and organizations. It has made this a natural fit for me to help safeguard both financial institutions and their customers.

It is tremendously satisfying identifying potentially suspicious activity and being part of a large multiorganizational team that assists our communities and society in general.

Is there anything that surprised you about your current role?

My role has shifted somewhat from an individual contributor role to that of an influencer role.

This shift has allowed me to continue to grow, learn, and flex under different leadership in a challenging environment. The role of an influencer seems like that of a relationship builder, to build goodwill with different internal and external stakeholders.

The surprise to me was how much can be accomplished through influence without direct control by building robust relationships with people.

Not everything we do professionally has to be a zero-sum game – all parties engaged in tasks or challenges can achieve their desired outcomes by winning together.

How did you get your first job in the field and what advice would you give other job seekers to help land their first position?

After 8 years in retail and private banking I was looking to continue to learn and grow in the financial services industry.

The BSA Officer at the bank I was working at was responsible for BSA, Fraud, and facilities for the entire bank. The workload was becoming unmanageable for one person and the financial institution was growing rapidly and needed to dedicate the BSA Officer role to give the BSA program the attention it needed.

In talking to my peer, he really liked the fraud piece but did not like the BSA portion of his role. He posted a role for an assistant role and approached me about it.

After doing some research and thinking about it, I drafted up a more comprehensive role that included the BSA Officer role.

The bank came back and countered and said that they would bring me on in an assistant capacity until I achieved my BSAO certification. They did and I have been in Financial Crimes compliance ever since.

Individuals looking to get into the industry should network as much as possible. There are great trade associations such as ACAMS and CFE groups that can help with information, training, and networking opportunities.

If they already work at a financial institution, they should connect with their BSA Officer or fraud manager to discuss the role and get as much exposure as possible.

Furthermore, they should not be afraid of pitching the ideal role that they would want to these individuals. This is especially true if the existing BSAO or Fraud manager has a desire to transition out of their respective roles or retire in the near future.

What is the most rewarding part of your job?

There are two things that are the most rewarding to me: helping customers work through challenges and mentoring other professionals though their journey.

Helping customers address their challenges in creative ways helps not only the financial institution but also helps the individual clients realize that similar approaches can be taken with other personal or professional obstacles.

It is very rewarding helping someone realize their value and potential by collaborating together on a challenging exercise.

Additionally, helping young ambitious individuals accomplish their goals and objectives by spending time with them, listening, and providing guidance is tremendously rewarding as well.

Paying forward what others have done is something we all should be willing to do. Very few people can achieve what they are capable of on their own, undoubtedly other people in our lives supported or guided us in our journey.

U.S. government agencies warn of impending coordinated ransomware attack against already pandemic-pummeled U.S. healthcare system

The Skinny:

  • A trio of U.S. government agencies have issued fresh warnings about the rising cyber-scourge of ransomware, stating they have intelligence that digital attackers are targeting the U.S. healthcare system, a callous and ill-timed attack that could cost lives during an uptick of coronavirus cases.
  • In a hefty and detailed alert, the FBI and other agencies stated they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” a warning made all the more dire as the country is still firmly in the group of the rampaging and ravenous COVID-19 pandemic.
  • The agencies are trying to warn hospitals, medical offices, outpatient facilities and every operation associated with the sector that illicit hacking collectives are looking to engage in “data theft and disruption” of services, including life-saving medical treatments, to lock down systems for multi-million dollar payments and pilfer data to open doors for further virtual fusillades or sell on darknet markets.
  • In recent years, the overall global costs and smoking virtual ruins left by ransomware attacks have soared, from an estimated $8 billion in 2018, to $20 billion in 2020, according to a 2017 report from Cybersecurity Ventures.

By Brian Monroe
bmonroe@acfcs.org
October 28, 2020 

A trio of U.S. government agencies have issued fresh warnings about the rising cyber-scourge of ransomware, stating they have intelligence digital attackers are targeting the U.S. healthcare system, a callous and ill-timed attack that could cost lives during an uptick of coronavirus cases.

In a hefty and detailed alert, the FBI, the Department of Homeland Security and Department of Health and Human Services stated they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” a warning made all the more dire as the country is still firmly in the group of the rampaging and ravenous COVID-19 pandemic.

The agencies are trying to warn hospitals, medical offices, outpatient facilities and every operation associated with the sector that illicit hacking collectives are looking to engage in “data theft and disruption” of services, including life-saving medical treatments, to lock down systems for multi-million dollar payments and pilfer data to open doors for further virtual fusillades or sell on darknet markets.

The result: operations must “ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The expected attack also happens at a time when the U.S. is distracted by the presidential election, though both public and private sector entities have taken more precautions to prevent foreign election interference, a shadow that hung over the 2016 election.

The alert is also something bank financial crime compliance teams should be aware of as they could provide critical information to investigators tied to any payments from hospitals to attackers, including what virtual currency addresses and exchanges are being used.

Ransomware, previously a relatively minor threat in the cybercrime landscape, has become a high-profile problem in recent years.

Opportunistic organized crime groups, and even lower level foreign players, have been able to lock up larger companies, healthcare firms, hospitals, law firms and even the very law enforcement officials charged with investigating these types of crimes.

At its heart, ransomware is a type of malicious software that encrypts users’ files or blocks access to their computer systems until the user ponies up funds to pay the criminal a fee to finally release them – typically paid in difficult-to-trace virtual currency, such as Bitcoin.

This type of exploitation scheme targets and takes advantage of both inherent human weaknesses and more arcane technical vulnerabilities, such as an unpatched computer system, antivirus program or leaky firewall.

Data from Cybersecurity Ventures. Graphic via PurpleSec.

Ransomware costs soar as cyber criminals sell ‘ransomware as a service’ packages on the cheap

In recent years, the overall global costs and smoking virtual ruins left by ransomware attacks have soared, from an estimated $8 billion in 2018, to $20 billion in 2020, according to a 2017 report from Cybersecurity Ventures.

The group predicted ransomware damages would “cost the world $5 billion in 2017, up from $325 million in 2015 — a 15X increase in just two years,” according to an October 21, 2019 piece in Cybercrime Magazine. “The damages for 2018 were predicted to reach $8 billion, and for 2019 the figure is $11.5 billion,” according to the group.

A key culprit driving the explosion of growth in ransomware attacks is “the appearance of ransomware as a service and ransomware kits on the dark web, which can be purchased for as low as $175 and require little to no technical knowledge to deploy,” according to the group.

As well, if you think by being a diminutive operation, you won’t get on a scammer’s radar, think again.

“Small businesses, which account for 43 percent of all cyber attacks, make for the perfect target as they often can’t afford the investments into security,” the company stated.

This is also not the first time cyber brigands have targeted a region’s healthcare sector.  

“For example, the WannaCry ransomware attack was responsible for one of the largest healthcare breaches affecting the National Health Service (NHS) – locking out access to hundreds of thousands of patient files in hospitals in England and Scotland,” noted PurpleSec, adding that administration staff had to use paper, pens and pencils to chart, file and document.

Ransomware attacks cost U.S. healthcare organizations $157 million since 2016, with attacks against the sector expected to quadruple as early as this year and into 2021.

The individual ransom of 1,400 clinics, hospitals, and other healthcare organizations varied from $1,600 to $14 million per attack, according to PurpleSec.

Independent security analysts say the ransomware, called Ryuk, has already “impacted at least five U.S. hospitals this week and could potentially affect hundreds more,” according to the Associated Press.  

Four health care institutions have been reported to have been hit by ransomware in recent weeks, three belonging to the St. Lawrence Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon, according to the report.

Several spokespersons for the operations stated they had, thus far, only had to make minor changes, such as rerouting ambulances for a few hours, according to the AP report.

Even so, many of the top minds in the field say the worst is yet to come.

Alex Holden, CEO of Hold Security, which has been closely monitoring Ryuk for more than a year, said the attack wave could be “unprecedented in magnitude for the U.S,” according to the report, while Charles Carmakal, chief technical officer of the security firm Mandiant, called the cyberthreat the “most significant” the country may have ever seen, according to the report.

Grpahic courtesy PurpleSec.

Some tips and tactics to bolster cyber responses, resilience and recovery

Whether you are a hospital, bank, or any small or large business, you need to start thinking, acting and reacting defensively when it comes to ransomware and other cyberattacks.

That’s why the Association of Certified Financial Crime Specialists (ACFCS) has put together this quick rundown of things you can do before, during and after a ransomware attack to help survive and get your data back, without paying a bogus fee and supporting a criminal network.

1.      Use firewalls and antivirus programs – and please keep them up to date: In some instances, hackers use security vulnerabilities in a system or weaknesses to get inside a system and hold it for ransom, particularly if they can’t find access to financial or bank account details. Some people even forget to simply click on their firewall in Windows or put off updating anti-virus software, which would be inviting disaster.

2.      Don’t click on what you don’t know – the email fail whale: Most people know they have to be wary of a strange email telling them to update their bank password. But criminals are increasingly creative. That email can look like it came from your IT person or Microsoft or some official sounding source. Right click on the source of the email and ensure it’s not just from a site similar to your company’s or Microsoft. If you are unsure, send an email to your IT specialist and ask it came from him or her. Most likely, it didn’t. Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.

3.      Don’t click on what you don’t know, part 2 – browsing for a bruising: If you are doing normal things on the Internet, you shouldn’t get something that urges you to “immediately” update your chrome browser or, also in an urgent manner, update your Adobe PDF or something or other. Just close the window. Scan every executable file from the Internet before installing on your computer. And if the pop up box comes up asking you if you want to install system you aren’t trying to install, click no. You also shouldn’t get a page that pops up telling you that your bank account, Facebook and Instagram account have been compromised and you need to call a “Microsoft” engineer and they happen to have the number for you to call right on the page that won’t go away.

4.      Make sure you can move forward – by backing up: Use a third-party service or, better, yet back up your system and important files and programs in an external hard drive not connected to any of your networks. Make sure to test your backups regularly to ensure they are current. Do it monthly or at least every few months.

5.      During an attack fight back – by unplugging: If you do get attacked, unplug from the power and Internet. If the group is able to get access to your computer, unplugging will make it more difficult to pull more data from your system. If you see a ransomware note and you can’t click it away and your system is totally unresponsive, unplug as quickly as possible and reinstall from a backup.

6.      Know thine enemy – but do it from a clean system: if you want to try and find out what type of ransomware is attacking you, don’t use the same computer, or others on your network, as you can risk further infection to other systems. Use a clean computer on another network and try to see what others have done to break the encryption, clean their system or what solutions are available.

7.      Don’t pay – or you will end up paying more: In ransomware attacks, even if the person pays, the attackers may still hold some or all of their systems hostage or attack again at another time, starting the cycle again. Try to remember, as official and polished as these criminals may make their “tech site help” look, they are still criminals and just want your money.

8.      Don’t give attackers permission, by restricting permissions: Construct your system that only certain individuals with certain rights, privileges and passwords can access or make changes to more critical parts of the computer or network. That way you can limit users’ ability to install and run unwanted software, which may prevent the spread of malware to one or more computers. The mantra should be the lowest privilege gets least access to the system.

9.      They found flaws in your system – now look for flaws in theirs: If you didn’t back up your system, there could be some options to unlock and recover your data.Some variants of ransomware, though seemingly ironclad and airtight, have flaws in the way they implement the encryption used to lock your files.

10.    As a last resort, bring in the big guns – and say no to paying that ransom: A collaboration between Intel Security, Kaspersky Lab, and Europol called No More Ransom! has a collection of decryption tools for Ransomware that has been cracked by researchers. The site is www.nomoreransom.org.

In the eyes of investigators, regulators, when it comes to cyber, failing to plan is planning to fail

Similar to other more formalized counter financial crime plans, like anti-money laundering (AML) and anti-fraud, government agencies are urging companies to think of business continuity plans from more than the perspective of revenues, profits and costs – because a devastating ransomware attack could cost everything. .

“CISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions,” according to the alert.

“Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations,” the agencies noted. “Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. “

CISA, FBI, and HHS suggest Healthcare and Public Health (HPH) sector organizations “review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.”

But how does that look in practice? Here are some tips:

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

Ransomware Best Practices

CISA, FBI and HHS do not recommend paying ransoms.

Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

As more hospitals capture data, make everyday objects ‘internet-enabled,’ attack surface broadens

These tips, while helpful for all companies, must be taken to heart by the healthcare sector.

While rare, individuals have been physically harmed, even died, because of a cyberattack shutting down a hospital. Hacking collectives, foreign nation states and criminals of all stripes have learned that it is easy, and profitable, to attack hospitals and that they will pay a lot – typically millions of dollars – and pay quickly to get their systems back online.

Hospitals must realize that just as their devices are attached to internal systems and external online networks – a necessity to improve patient care – they must strengthen the virtual walls of these technologies.

The reason? 

To prevent a pulsating monitor or pumping machine from simply becoming another vulnerability and entry point for criminals who don’t care how sick your patients are, how overwhelmed your staffers are and how slim your profits are – as they only care about enriching their illicit coffers. 

*This story has been updated.

ACFCS Jobs Corner: In fincrime compliance job hunt, research diligently, apply carefully, network thoughtfully, says Zachary Plotkin

The Skinny:

  • The need to wargame when it comes to finding a dream position has always been important for professionals in the fields of anti-money laundering (AML), fraud, corruption, investigations, cybersecurity and the like, because the arcane alchemy of skills needed to ensure success can be both very broad and very specific at the same time.
  • Typically, professionals in this field need to curious, creative, courageous, commanding, cajoling, highly organized and yet highly flexible and malleable to quickly adapt to the latest criminal trend, regulatory focal point or institutional vulnerability – or any other high-pressure, time sensitive, red alert level priority that has leapt to the fore of the ever-expanding and constricting matrix of risk.
  • But there are some tips and tactics to better position yourself to ensure you are finding the best jobs to suit your unique mix of strengths, experience, personality and even feed your passion to give you a greater sense of purpose as you rise in your career. Some key areas you should focus on: researching, job application, recruiters and networking.

By Zachary Plotkin
Head of Compliance, Legal, Privacy, Cyber at Infinity Consulting 
October 20, 2020 

Editing and additional content by ACFCS VP of Content, Brian Monroe

Is job hunting getting you down? Do you work all day only to come home and start the process of looking for a job? Job hunting during a pandemic is more stressful and effort driven than ever before.

The good news is that during this time, compliance, risk and financial crime positions have only become more ubiquitous within the job market. Researching, applying carefully, building relationships, and networking can help you obtain a position within these fields.

But there are some tips and tactics to better position yourself to ensure you are finding the best jobs to suit your unique mix of strengths, experience, personality and even feed your passion to give you a greater sense of purpose as you rise in your career.

The need to wargame has always been important for professionals in the fields of anti-money laundering (AML), fraud, corruption, investigations, cybersecurity and the like, because the arcane alchemy of skills needed to ensure success can be both very broad and very specific at the same time.

What do we mean? Here are some examples: Oh, you can do investigations. Great! We need a deep dive on synthetic ID fraud. You know AML and systems. Awesome! We were looking for a risk assessment and transaction monitoring model validation specialist. You have international banking experience. Wonderful! Because we need you to scrutinize for nested transactions in our high risk correspondent network.

But that’s not all you will need to conquer compliance.

Typically, professionals in this field need to be curious, creative, courageous, commanding, cajoling, highly organized and yet infinitely flexible and malleable to quickly adapt to the latest criminal trend, regulatory focal point or institutional vulnerability – or any other high-pressure, time sensitive, red alert level priority that has leapt to the fore of the ever-expanding and constricting matrix of risk.

Some of the critical areas of focus on in looking for a new job include:  

  • Researching: To find the best job that suits your talent and expertise, do some digging.
  • Apply carefully: By taking a shotgun approach to applying, you may end up shooting yourself in the foot.
  • Building a relationship with a recruiter: This is a strategy that can’t be stressed enough. Just as consultants are the nexus between what regulators want and what banks must improve, recruiters are the bridge between what banks need in terms of talent, experience and resources, and what they don’t have to meet regulatory expectations, manage rising risks and be viewed as a true ally of law enforcement.
  • Networking: Remember that foot we mentioned earlier, the one we warned you not to shoot? Try instead to connect, collaborate and even cajole some of the top minds in your field, as they just might help you get that foot of yours in the door – to your dream job. 

Researching

The first thing that job seekers within this field need to do is research.

Understanding what you want and what you are looking for is one thing but understanding where you want to go is entirely different. When a candidate is looking to break into the industry, the candidate needs to understand that compliance has multiple sub-divisions.

The sub-divisions can be broken out into multiple categories, such as, types of institutions (banks, RIA, MSB, B/D, etc), types of products (Commercial banking, retail banking, capital markets, etc) and the function within the compliance/financial crimes division (AML, KYC, OFAC, etc.)

Applying Carefully

The biggest mistake a candidate can make when looking for a job is applying aimlessly to jobs – whether that is multiple jobs at the same company or jobs at different companies.

You should be very meticulous and pick which jobs you actually want to apply to verses applying just for the sake of it. What you are doing when you apply aimlessly is putting your resume into a black hole that most people never hear back from (the application process).

Job portals automatically save your resume, so if you apply directly to two different positions at the same firm, the internal recruiter will see that you applied to multiple positions.

That internal recruiter may think “why is he/she applying to multiple positions at my firm? Do they not know what they want?” You will have more success if you apply carefully and strategically to the places and positions you actually are interested in.

Building a relationship with a recruiter

One of the best resources a candidate can utilize is a good recruiter.

A recruiter should be able to tell you everything that a job description cannot. Recruiters are your best source of market intel and internal culture information within a company.

A recruiter can also help you navigate through the process of getting an opportunity.

Be honest with them and they will be honest with you. The field of compliance, risk and financial crimes is small, so there is a good chance a recruiter will always be one degree of separation from at least one to two people you know.

It is important to build that rapport with a recruiter so that when the opportunity you want comes around, your recruiter knows and can let you know immediately.

Networking

One of the best ways to secure a new opportunity is to network.

There is no easier way to obtain a job in any field than utilizing your network. If you do not have a strong network, utilize virtual networking events during this time.

There are numerous resources, such as webinars provided by associations, like ACFCS J, specific LinkedIn groups, and recruiters in the space.

Put yourself out there and ask basic questions that stir conversation. If you just attend the networking event and wait for someone to talk to you, you will have less success.

As we mentioned, part of getting known and being seen as a thought leader by your peers and potential employers is putting yourself out there. Remember, if you don’t ask questions you will never know about opportunities.

To recap, make sure you are doing your homework on each firm and applying carefully to the positions you actually want.

Be strategic in building a relationship with a recruiter and utilize your network. Looking for a job is a job in itself.

At times it can be very challenging, however it helps to stay positive and look in the mirror and ask yourself, “Have I done everything I can to put myself in the best possible position?” 

5 Steps to a Stronger Fraud Detection Program in 2020 and Beyond



by: Terri Luttrell, CAMS-Audit

As 2020 comes to an end, the effects of the COVID-19 pandemic cannot be denied by businesses or communities around the globe. The financial devastation, as well as loss of life and health, has taken its toll. Natural disasters of any kind have historically brought fraudsters out of the woodwork, pouncing on what seems to be a neverending pool of vulnerable victims.

The Federal Bureau of Investigations (FBI) reports that the more catastrophic the event, the more active the fraudsters. COVID-19 is arguably the worst worldwide disaster in decades, and an increase in fraud has been detected on a wide scale. While some of the recent trending fraud schemes are not new, they have been transformed to prey on communities already dealing with unprecedented times. How is your organization moving to solidify its anti-fraud program to mitigate these increased risks?

Based on historical disaster statistics, the U.S. Department of Justice expects overall fraud to rise 10-12% due to COVID-19. In a recent survey conducted by the Association of Certified Fraud Examiners, 77% of member respondents said they have observed an increase in the overall level of fraud, with one-third noting that this increase has been significant. That’s notably higher than in May 2020, when 68% of respondents had seen an increase in fraud, and one-quarter labeled the increase significant.

The pandemic has created the need for organizations to look at their anti-fraud programs to determine if there is increased risk exposure to be addressed. The relief financing that generally follows disaster events unfortunately leads to a correlated increased risk of fraud. The more funding to enter the economy, whether due to hurricanes, wildfires, or a pandemic, the greater the presence of bad actors. Therefore, while COVID-19 is the current trigger for fraud trending upward, organizations should position themselves to prevent future increases. As individuals, we have experience; we know what to do to deter fraud and mitigate risk. However, combatting risks and anticipating evolving risks in the current environment takes a concerted effort by organizations to bolster their anti-fraud programs.

Download the full, complimentary whitepaper to learn 5 key steps to improving your fraud detection program during and after the COVID-19 pandemic.

Hemp and Commercial Banking: Risks, Opportunities, Confusion

The global industrial hemp market is projected to grow from $4.7 billion in 2019 to $26.6 billion by 2025. This represents an opportunity, but also a potential compliance headache, for financial institutions interested in servicing this space.

Why a headache? As you might know, hemp comes from the cannabis plant, the same source of a very famous drug that remains illegal under federal law in the United States, along with many other countries. Hemp itself is not illegal, and along with other uses it’s the source for CDB oil, a booming consumer product with a variety of applications. However, different states have different regulations, some states require fairly complex licensing and tracing of crops, and so-called “hot hemp” can sometimes tip over into illegal territory.

Confused yet? Fortunately, we have a well-informed guide to the world of hemp and commercial banking in the form of Amanda DuPont, Public Records Product Expert with Thomson Reuters. On this CrimeCast, she shares insights on why hemp is such a hot topic, the legal background on banking hemp, and key considerations for financial institutions.

After months of court battles, Westpac settles with Austrac, agrees to pay $1.3 billion for millions of AML failings, ties to child exploitation network

The Skinny:

  • The big Aussie AML battle in the bush is over.
  • After months of haggling in a widely-watched game of brinkmanship, Australia’s top financial regulator has issued a record, statement making penalty of more than $1 billion against the country’s second largest bank for fincrime compliance failings – the most serious of which tied to exploiting children.
  • The Australian Transaction Reports and Analysis Centre (Austrac) and Westpac have agreed to a $1.3 billion penalty – less than the originally desired $1.5 billion, but far more than the $900 million set aside by the bank, a figure the institution said it would not budge from in negotiations.
  • The millions of anti-money laundering (AML) failings involving billions of dollars in transfers form the foundation of the fine, an amount that “reflects the seriousness and magnitude of compliance failings by Westpac,” according to Austrac.
  • The penalty has several key takeaways for fincrime compliance professionals in Australia – and the world over.
  • In short, AML teams must better get to know the nuanced transaction trails tied to child exploitation networks, just as they have in recent years related to human trafficking groups, and keep better oversight of regions at a higher risk for child exploitation, including gaps through leaky correspondent portals.
  • The penalties also echo the grumblings from regulators in the United States, Europe and the Nordic and Baltic Regions, where examiners have also cited institutions for broad failures in AML 101 areas.
  • Which ones? These might sound familiar: the depth and accuracy of customer due diligence, how those figures inform the risk assessment and how those scores tune the transaction monitoring system – the beating electronic heart of any fincrime compliance program.

By Brian Monroe
bmonroe@acfcs.org
October 6, 2020 

After months of haggling, behind the scenes negotiations and a widely-watched game of brinkmanship on both sides, Australia’s top financial regulator has issued a record, statement making penalty of more than $1 billion against one of the country’s largest banks for financial crime and compliance failings – the most serious of which tied to exploiting children.

The Australian Transaction Reports and Analysis Centre (Austrac) and Westpac have agreed to a $1.3 billion penalty – less than the originally ballyhooed $1.5 billion the regulator initially sought, but far more than the $900 million set aside by the bank, a figure the institution said it would not budge.

The millions of anti-money laundering (AML) failings involving billions of dollars in transfers form the foundation of the fine, an amount that “reflects the seriousness and magnitude of compliance failings by Westpac,” according to Austrac.

To read the announcement, statement of facts and notice of filing, click here, here and here.

The penalty has several key takeaways for fincrime compliance professionals in Australia – and the world over.

In essence, AML teams must better get to know the nuanced transaction trails tied to child exploitation networks, just as they have in recent years tied to human trafficking, and keep better oversight of regions at a higher risk for child exploitation, including through leaky correspondent portals.

More broadly, banks are trying to band together to better identify transaction patterns tied to exploiting children, particularly tied to online streaming.

That is one of the goals set out by the Egmont Group of Financial Intelligence Units (FIUs), which include many of the largest countries in the world.

The group, as part of a Jointly-led project by AUSTRAC, Australia, UKFIU, United Kingdom and AMLC, Philippines, is collaborating with INTERPOL and the FIUs from around the globe to better understand the financial and banking components of the online streaming of child sexual abuse and exploitation (CSAE) material.

To review the group’s just released findings, click here.

The Egmont Group report also noted the potential involvement of organized crime in such exploitation networks.

“In impoverished communities, online streaming offers a financial incentive for criminal networks, which creates a commercial element for CSAE,” according to the group. The illicit business models in relation to this activity, whereby offenders pay to view CSAE material via online streaming, means there is a money trail in the form of payments and profits.”

While it is noted that a lack of large profits means wide-scale involvement of organized  criminal groups (OCGs) is likely to be limited, there “is some evidence of criminal business structures in developing countries exploiting the commercial opportunities presented by online streaming of CSAE.”

Building pressure on regulators the world over to bring the hammer on AML

The AML penalties also echo the grumblings and mirror the compliance flashpoint issues in places like the United States, Europe and the Nordic and Regions.

In the regions, regulators have repeatedly cited institutions for broad failures in core, foundational areas of the AML program, such as the depth and accuracy of customer due diligence, how those figures inform the risk assessment and how those scores tune the transaction monitoring system – the electronic heart and digital brain of most compliance programs.

The Federal Court of Australia will now consider the proposed settlement and penalty. If the Federal Court determines the proposed penalty is appropriate, the “penalty order made will represent the largest ever civil penalty in Australian history.”

In the settlement, Westpac admitted to breaching Australia’s chief AML regulations on more than 23 million occasions, exposing Australia’s financial system to criminal exploitation.

In summary, Westpac admitted that it failed to:

  • Properly report over 19.5 million International Funds Transfer Instructions (IFTIs) amounting to over $11 billion dollars to Austrac.
  • Pass on information relating to the origin of some of these international funds transfers, and to pass on information about the source of funds to other banks in the transfer chain, which these banks needed to manage their own ML/TF risks.
  • Keep records relating to the origin of some of these international funds transfers.
  • Appropriately assess and monitor the risks associated with the movement of money into and out of Australia through its correspondent banking relationships, including with known higher risk jurisdictions.
  • Carry out appropriate customer due diligence in relation to suspicious transactions associated with possible child exploitation.

In reaching the agreement, Westpac also admitted to “approximately 76,000 additional contraventions which expand the original statement of claim,” according to Austrac.  

“These new contraventions relate to information that came to light after the civil penalty action was launched last year and relate to additional IFTI reporting failures, failures to reasonably monitor customers for transactions related to possible child exploitation, and two further failures to assess the money laundering and terrorism financing risks associated with correspondent banking relationships.”

AUSTRAC’s Chief Executive Officer, Nicole Rose PSM, said the settlement “sends a strong message to industry that Austrac will take action to ensure our financial system remains strong so it cannot be exploited by criminals.”

“Our role is to harden the financial system against serious crime and terrorism financing and this penalty reflects the serious and systemic nature of Westpac’s non-compliance,” she said.

“Westpac’s failure to implement effective transaction monitoring programs, and its failure to submit IFTI reports to Austrac and apply enhanced customer due diligence in relation to suspicious transactions, meant Austrac and law enforcement were missing critical intelligence to support police investigations.”

Such a large number of breaches over several years was “unacceptable and could have been avoided with better assurance and oversight processes to identify ongoing reporting failures,” Rose said, adding that, on the plus side, Westpac continues to partner with Austrac and assist law enforcement agencies to stop financial crime through private-public partnerships, including the the Fintel Alliance.

In breaking the billion-dollar barrier, Austrac has set a new ceiling for AML penalties

In the months of negotiations, it was clear Austrac wanted to break the billion-dollar barrier – and Westpac did not want to let them.

Those figures are significant because they would have, and eventually did, set a new precedent for penalty ceilings in Australia for systemic AML program failings.

Austrac has only had a handful of major AML enforcement actions with U.S.-style penalty figures – with all of them south of $1 billion Aussie dollars.

The U.S. still has the highest ever compliance and sanctions penalty ever handed out at just shy of $9 billion against BNP Paribas in 2015, with the bulk of that tied to dealing with blacklisted regimes.

In August 2017 Austrac applied for a civil penalty order under the AML/CTF Act against the Commonwealth Bank of Australia (CBA). In June 2018, the Federal Court ordered CBA to pay a penalty of A$700 million.

Prior to that, in 2015, Austrac applied for a civil penalty order under AML regulations against Tab Ltd, Tabcorp Holdings Ltd and Tabcorp Wagering (Vic) Pty Ltd (‘Tabcorp’). In early 2017, the Federal Court ordered Tabcorp to pay a penalty of A$45 million.

Even as sabers continued to clash in recent months behind the scenes with legal thrusts and parries in court, Austrac has already exacted a pound of flesh, causing executive upheaval at the highest levels of Westpac.

In November, in the wake of Austrac’s penalty order, Westpac stated its chief executive and chairman would be stepping down in response to the scandal.

Bowing to shareholder pressure, the bank stated at the time that Brian Hartzer would leave Dec. 2 after more than four years as CEO and managing director.

At the same time, Lindsay Maxsted, the chairman of almost eight years, agreed to voluntary retire in the first half of 2020.

The managerial bloodletting was clearly done by Westpac in hopes of proving to regulators the bank has changed its tune on compliance – a potential hard sell, however, reviewing how it treated a top compliance professional working to rectify the issues.

“As CEO I accept that I am ultimately accountable for everything that happens at the bank. And it is clear that we have fallen well short of what the community expects of us, and we expect of ourselves,” Hartzer said at the time of his departure.

A highly touted compliance ‘response plan,’ though tethered to a question of sincerity  

The news is tinged with irony as other media reports highlighted at the time that Westpac in its initial response to compliance problems didn’t support the compliance professional who brought the failings to the bank’s attention, but instead tried to bury the dirt, removing her from the position.

Westpac also laid out a four-page Austrac and overall compliance remediation “Response Plan,” which details some of the more pressing and longer term plans the bank has to address issues uncovered internally and externally, including: 

  • Immediate fixes, including closing LitePay, a remittance arm that allowed wires of thousands of dollars for a flat fee, but failed in user oversight and transaction monitoring. 
  • Lifting our standards, including priority screening and improving cross-industry data sharing, a move done as a mea culpa to help better identify larger, interconnected crimes.
  • Protecting people, including investments to reduce the human impact of financial crime, in the form of spending more than $30 million on various initiatives to better spotlight and protect children and convene with experts to better be part of the solution and not the problem. 

The news of executive upheaval roughly coincides with Westpac stating it will invest $25 million Australian dollars to improve cross-border and cross-industry data sharing and analysis as one of the “immediate fixes” as part of its response plan, following issues raised by Austrac.

That is also in-line with other global banks strengthening public-private partnerships to both boost compliance and become more aligned with law enforcement trends and needs, according to media reports.

Parallels with other EU banking scandals?

The Westpac saga is turning into Australia’s version of the Danske Bank scandal, with an institution taking the rare step of jettisoning seemingly entrenched executives as a show of faith, force and fealty to regulators.

The scandal against Danske, Denmark’s biggest bank, originated after it failed to adequately scrutinze about 200 billion euros in non-resident flows through its Estonian operations, much of which was subsequently deemed suspicious.

Since the money laundering case erupted, Danske has replaced a number of executives and board members to bring in people who aren’t tainted by the scandal – a more stringent response than many high-profile U.S. AML penalties, where the penalties are higher, but against individuals, only a few compliance deck chairs get moved around.

The money laundering scandal and related investigations have resulted in Estonia booting Danske out of the country and has spawned aggressive investigations into banks in the Nordic and Baltic regions and the United States, particularly Swedbank and Deutsche Bank, among others.

At the supranational level, the Danske scandal has caused European Union regulators, at the country and bloc level, to engage in a game of naming, blaming and shaming, with accusations and recriminations at all levels – the tacit meaning that Austrac also has its name and reputation as a top enforcement body on the line with the world watching how it would negotiated the Westpac fine.

In recent months, the EU has pushed to create a dedicated pan-bloc AML oversight and enforcement body that would put regional regulators in the hot seat and better attempt to see fincrime vulnerabilities happening across multiple member states.

Not to be lost in the shuffle, the need for a shift in compliance culture

The future similarly looks costly for Westpac when it comes to compliance. 

What is clear reading these stories is that the bank also had a failure of what U.S. regulators call a “culture of compliance” where a financial crime compliance officer is valued, their concerns addressed and suggestions taken seriously and implemented. 

In the case of Westpac, the compliance officer who first found the problems and was working for months to get to the root of the issue, was given the sacrificial lamb treatment, most likely as a way for the bank to quickly and immediately show Austrac it “did something.” 

If that culture doesn’t change, along with setting a compliance “tone at the top,” a common U.S. regulatory refrain, all the technology improvements and investments to various child protection organizations in the world won’t make the changes needed.

Westpac needs all the pieces of the puzzle to come together – technology, resources, culture and authority for AML investigators – to go from a failing entity from a compliance perspective to a law enforcement ally championing the safety of children and all other vulnerable groups.

Even after Austrac settlement, more legal wrangling to come 

In the United States, the bank has also been sued by more than half a dozen groups as part of a bevy of class action lawsuits.

The latest suit, filed earlier this year by investor rights law firm Bernstein Liebhard in a U.S. court, came just days after six U.S.-based law firms announced similar class-action lawsuits against the lender.

Westpac in statements had cautioned that similar suits may follow, while responding to New York-based Rosen Law Firm’s suit, according to media reports and court filings.

Bernstein said in a statement the class action was filed on behalf of investors who bought Westpac’s securities between Nov. 11, 2015 and Nov. 19, 2019.

The law firm accused the lender of not carrying out appropriate due diligence on transactions in Southeast Asia and the Philippines and failing to monitor terrorism financing risks with movement of money into and out of Australia among others.

This is not entirely unexpected.

In the face of several high-profile fincrime compliance failures in Australia and the Nordic and Baltic regions, investors have fumed in the face of falling stock prices and levied lawsuits at the institutions.

As difficult as this will be for Westpac, there is one bright spot for the broader AML compliance community: this cautionary tale could be great leverage to use when counter-crime teams are trying to get more budget to improve training, systems and overall resources.

Special ACFCS/S2FIS Webinar Series Preview and Financial Crimecast: To conquer compliance, take a hybrid threat finance approach, switch focus from actions to actors

The Skinny:

  • In this ACFCS Financial Crimecast we preview a special six-week webinar series and course on the transformative power of taking a hybrid threat finance approach to implementing anti-money laundering (AML) programs.
  • The argument: by switching the focus from broad actions and pre-determined scenarios to responding to the actual transactional DNA of threat actors, banks have the chance create timely intelligence with a “high degree of usefulness” to law enforcement.
  • In this chat, we speak to the intense, informed and ever-focused Joshua Fruth, who for the past decade has devoted himself to learning about how criminal networks of all sizes fund and launder funds to keep their illicit enterprises running – akin to how a legitimate corporation operates.
  • Fruth and longtime financial crime compliance thought leader Debra Geister, the head of Section 2 Financial Intelligence Services are also the architects of the Section 2/ACFCS Hybrid Threat Finance Virtual Training Series, a six-week course starting Oct. 14. To learn more about the series and sign up, click here.
  • The training webinar series has collected many of the biggest names and respected professionals across the fields of AML, investigations, intelligence, terror finance, organized crime, money laundering and other disciplines to teach how the savviest illicit groups cleanse their ill-gotten gains.

By Brian Monroe
bmonroe@acfcs.org
October 2, 2020 

In this ACFCS Financial Crimecast we preview a special six-week webinar series and course on the transformative power of taking a hybrid threat finance approach to implementing anti-money laundering (AML) programs.

The argument: by switching the focus from broad actions and transaction monitoring systems alerting on red flags, pre-determined scenarios and monetary thresholds to responding to the actual transactional DNA of threat actors, banks have the chance to bolster efficiency, effectiveness and create timely intelligence with a “high degree of usefulness” to law enforcement.

In this chat, we speak to the intense, informed and ever-focused Joshua Fruth, who for the past decade has devoted himself to learning about how criminal networks of all sizes fund and launder funds to keep their illicit enterprises running – akin to how a legitimate corporation operates.

Fruth and longtime financial crime compliance thought leader Debra Geister, the head of Section 2 Financial Intelligence are also the architects of the Section 2/ACFCS Hybrid Threat Finance Virtual Training Series, a six-week course starting Oct. 14.

To learn more about the series and sign up, click here.

The training webinar series has collected many of the biggest names and respected professionals across the fields of AML, investigations, intelligence, terror finance, organized crime, money laundering and other disciplines to teach how the most savvy illicit groups cleanse their ill-gotten gains.

The series will include case studies and real-life examples with practical takeaway for AML analysts, public and private sector investigators, regulators and auditors.

Here is a snapshot of S2’s Threat Finance Academy (TFA), including speaker lineup and topics for Hybrid Threat Finance Series One:

  • 10/14/20: Derek Maltz, Director, DEA Special Operations Division (Ret.), “Intro. to Hybrid Threat Finance”

    10/21/20: COL Josh Potter, Director, J36 Transnational Threats Division, USSOCOM (Ret.), “Terrorism Finance 2020”

    10/28/20: Stephen Murphy & Javier Peña, DEA (Ret.), Netflix hit series “Narcos,” “Illicit Finance in Drug Trafficking”

    11/04/20: David M. Luna (罗文礼), President and CEO 🦏 🐘 🌎, Senior Director for National Security & Diplomacy, US Dept. of State (Ret.), “Counterfeiting & Wildlife Trafficking”

    11/11/20: Jimmy Arroyo, Assistant Special Agent in Charge, DEA NY Division, “Trade-based Money Laundering”

    11/18/20: Dr. Vanessa Neumann, Venezuelan-American Diplomat, “Corruption & Sanctions Evasion – Venezuela”

Fruth also tackles the issues of the day, including why the recent leak of suspicious activity reports (SARs) from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) by the International Consortium of Independent Journalists (ICIJ), the same group behind the seminal Panama Papers and Paradise Papers leaks, is a national security concern that could even put the lives of compliance professionals at risk.

As well, Fruth gives a glimpse of the future of AML with FinCEN in recent weeks detailing a broad and expansive overhaul to the country’s countercrime compliance regime, retooling the emphasis from auditable inputs for regulators to valuable outputs for law enforcement – the eventual customers of AML intelligence reports.

But what is hybrid threat finance?

Hybrid threat finance (HTF) detection:

  • Based on the intelligence community’s “Hybrid Threat” targeting doctrine.
  • A strategy that recognizes the interconnected nature of hostile, sanctioned nation-states, organized criminal groups and terror networks.

Actor-centric detection methods versus action-centered, broad red flags, thresholds:

  • Increase risk coverage, decrease false positives and lower compliance costs.
  • Tactics, techniques and procedures (TTPs) change based on the predicate source of revenue, the threat group and the geographic nexus.

Some examples: An operation having and moving too much cash could be tied to a terror group, preparing to dole out funds in preparation for an attack.

Similarly, a burst in funds transfers, particularly with a propinquity to the Americas or Middle East, could be tied to drug trafficking for a narco cartel.

A high velocity and flow of funds, layering, could be tied to a human trafficking group, with a corresponding move to one account in Mexico, the Philippines, Thailand or China.

These are the nuanced transactional tells that Fruth has pushed himself to better uncover at both the public and private sector levels.

Fruth’s work as a US Army Intelligence Officer, Law Enforcement Officer, Federal Task Force Embed, Federal Contractor, & Anti-Money Laundering (AML) Compliance Director has afforded him the unique opportunity of having participated in a wide range of public & private sector investigations, intelligence, and special operations.

He is a Counter Threat Finance (CTF), Counterterrorism, and Counternarcotics targeting practitioner who has deployed globally with a functional expertise in disrupting the illicit revenue generation, money laundering, and funds access mechanisms and typologies used by bad actors, malign organizations, transregional, and transnational hybrid threat networks.

He’s traversed the intelligence, law enforcement, and regulatory communities and worked with some of the world’s largest banks and tech companies. Fruth has a unique perspective regarding financial crime, having personally physically interdicted many of the illicit activities that precede the need to launder funds in the first place.

His career caseload has included violent crime, terrorism, sex crimes, organized trafficking of persons/weapons/narcotics/counterfeit goods/minerals; white-collar crime, sanctions evasion, counterintelligence & corruption in both operational and analytic roles.

Tips, tricks and timestamps

Link analysis: Actions vs. actors

5:00: The link between clean data and detecting threat actors and interlinked groups

7:00: AI can’t save you…from yourself.

Tell me something I don’t already know

10:00: Threat classifications, sub classifications and what can I do about human trafficking

12:00: Different mechanisms of control, different transactional DNA.

13:00: Example of hybrid threat actors in action: Hezbollah.

Institutionalized, corporate laundering

14:00: Organized criminals act just like corporations. They need money to pay the bills.

16:00: Is money laundering the world’s biggest human rights violation?

20:00: The corruption and money laundering connection.

22:00: Yes, criminal groups have a “human resources” department.

How to standardize the most subjective part of AML: investigative decision-making

25:00: How to standardize what makes a good financial crimes investigator.

26:00: A preview of the event to teach on hybrid threat finance.

FinCEN files: The leak that rocked a country, a sector and some context

27:00: Reactions and risks tied to the “FinCEN files” leak.

29:00: Um, Josh, can you just solve AML for me. Great, thanks.

35:00: For banks named in leaks, some context. The formerly fined have gone from compliance pariahs to law enforcement allies. In short: investigators told banks not to close the account, so stop trying to beat them up.

37:00: Gaps, integrity and doing the right thing: The spine of the compliance professional.

The good, the bad and ugly: After a look inside the AML playbook, criminal groups will adapt laundering tactics

40:00: An equal and opposite reaction: If bad guys see how we SARed them, they will adapt, adjust and evade anew.

42:00: Will banks be gunshy in filing strong SARs? Can the leak hurt active law enforcement investigations? Will the leak be a field day for defense attorneys, civil lawsuits?

44:00: The detection programs the models, the rules, the algorithms and how they have been tuned should be held as closely as national security, because bad guys will use those to evade detection. Another aftermath of the FinCEN files leak.

A new AML regime, a new day, and a new way to SAR in proposed FinCEN rules

49:00: A look at the new AML regime to come: The FinCEN proposed update for banks to focus on effectiveness and creating SARs with a “high degree of usefulness” law enforcement.

50:00: A question: how can a regulator judge a bank SAR, or AML program, without first talking to law enforcement? The answer: the can’t. They have to liaise.

55:00: How do you profile a threat? Divine how the threat actors acted.

Behavioral analytics and pattern of life analysis: Actor-centric targeting logic

56:00: The importance of context when juggling risks and resources. Looking through the many lenses of layers of hybrid threat finance.

1:00: Profiling and how to articulate the behavioral attributes of a narco cartel or money laundering network. Pulling apart the global threat landscape into actionable steps.

1:05: A look at Hezbollah through the microscope of hybrid threat finance.

1:10: Revenue generating events and explaining away illicit finance using shell companies, front companies and trade-based money laundering. From Lebanon to South America and a padded pass through to China.

1:13: The global threat landscape is complicated, but relatively static. Data and better pulling in the technology component to create better AI-driven scenarios. 

ACFCS Member Spotlight: A strong sense of justice, passion to inspire leads to career fighting crime as prosecutor, journalist, compliance thought leader for Gina Jurva

The Skinny:

  • In this ACFCS Member Spotlight, Gina Jurva, an attorney and Manager for Market Intelligence & Enterprise Content-Corporates & Governments for the Thomson Reuters Institute (TRI), gives a glimpse into her journey from playing prosecutor in her home to crafting cases in real life and becoming a thought leader in the field of financial crimes compliance.
  • Part of what propelled her on this journey over the past roughly 15 years – that would include becoming a journalist, public speaker and anti-money laundering (AML) compliance champion – was a simple but profound question as child: why weren’t there more powerful female role models on legal dramas going after the bad guys?
  • Jurva sought to fill that void through her own force of will and determination, eventually becoming a prosecutor and defense attorney.
  • Critical to her success, however, is never settling for the status quo: a continuous push for improvement in both the professional and personal spaces, a dynamic to ensure you can excel in any position, learn, grow and become “indispensable” to your organization.

By Brian Monroe
bmonroe@acfcs.org
September 28, 2020 

For Gina Jurva, the journey over the past nearly 15 years to become an attorney, journalist, public speaker and fincrime compliance thought leader started with an unlikely beginning – a courtroom of her own creation fueled by her imagination.

Along the way she would find herself, her inspiration, her voice, her calling – and even love.

As a child growing up in the neon-soaked decade of the 1980s, the California resident always had an “ingrained sense of justice and the rule of law,” even though she didn’t see many woman attorneys holding court on television.

That absence sparked curiosity, the question of why?

Finding the answer would be Jurva’s first steps on a quest in her life to champion more diversity in courtrooms, boardrooms and classrooms – the foundation of learning and representation for the next generation, culminating in Jurva landing her “dream job” at Thomson Reuters, a multi-billion dollar media company.

So without a powerful, independent female figure in the courtroom to turn to on television, Jurva created her own fuzzy, stuffed version of “Law and Order.” Before her age was even in double digits, Jurva acted out the roles of prosecutors and judges with her family and toys as the accused.

“My grandmother was regularly found not guilty, but my stuffed animals usually received ‘life in prison,’” Jurva said, joking that, “Hey, as an only child you must be creative!”

Little did she realize that later in life, she would replace prosecution, defense strategies and closing arguments for family members for members of illicit criminal groups.

“I knew from a very young age I wanted to be a criminal prosecutor, tackling some of the worst crimes both against persons but also financial crimes,” Jurva said.  

She has been immersed in the crime-fighting world since earning her bar license in 2006 and becoming a deputy district attorney in the San Francisco Bay Area. Jurva eventually opened her own law practice defending clients in criminal matters at both the trial and appellate level.

After several years as a litigator, she decided to “flip the script,” and transition out of her Perry Masonesque existence, forging a new path into the land of journalism and writing.

She held positions as editor-in- chief of a San Francisco-based print magazine, managing editor of a SF-based newspaper, and as a freelancer for the Bay Area’s NPR-affiliate, KQED.

Since joining Thomson Reuters more than seven years ago, she has served as Senior Legal Writer and Editor and currently serves as Manager, Market Intelligence & Enterprise Content-Corporates & Governments for the Thomson Reuters Institute (TRI).

In that role, Jurva leads content and multi-media activities to highlight solutions to some of the world’s most pressing risk, regulatory compliance and public and private sector challenges including anti-money laundering (AML) and e-commerce fraud.

She also frequently writes, speaks and contributes as a co-host to a Thomson Reuters-branded podcast, talking about the latest fraud and financial crime trends.

More recently, she graduated from the Campaign School at Yale University and is looking to further service the public trust by potentially running for office in the future.

It was her desire to help others less fortunate and devote herself to a higher cause that also led to love – and some very sore quads.

Jurva has participated in a seven day, 545-mile charity bike ride for HIV/AIDS awareness twice as a cyclist and once as a roadie.

“The bike ride is from San Francisco to Los Angeles (the AIDS/LifeCycle), requiring each cyclist to raise a minimum of $3,000,” she said. “As I was training for the ride, I met and fell in love with my (now) wife.”

The lessons of sharing, caring, kindness and giving your all to a singular purpose is an apt comparison to the knowledge, focus and continuous learning needed to be successful in the field of financial crime and compliance.

One of the best pieces of advice was given to her by a former supervisor who said: “Make yourself indispensable to your organization. Be the best at what you do. Know your craft well and excel in it.”

Part and parcel of excellence as a professional is growth as a person – and a ruthless commitment to do what is right and just.

“Reputation is everything,” Jurva said. “If you damage it, it can take a lifetime to regain. But if you always act with integrity and fairness, no matter whom you are dealing with, you will succeed and thrive.”

Jurva was kind enough to share some of her insight in our latest ACFCS Member Spotlight. Here is an edited version of that conversation. 

Who inspires you?

There are three women come to mind immediately: Kamala Harris (especially as a prosecutor, AG, US Senator and now VP candidate), Supreme Court Justice Ruth Bader Ginsburg and former First Lady Michelle Obama. All attorneys and all women who have had to fight their ways to the top.

I am particularly inspired by Michelle Obama’s message about taking chances.

A quote from Mrs. Obama has always stuck with me: “This may be the fundamental problem with caring a lot about what others think: It can put you on the established path — the “my, isn’t that impressive” path — and keep you there for a long time,” she explained in an interview. “Maybe it stops you from considering a swerve, because what you risk losing in terms of other people’s high regard can feel too costly.”

Each woman has also shown the power of resilience and of empowering other women on their journeys. 

What is one thing - industry-related or not - that you learned in the past month?

Camping really isn’t so bad… 

What is something about you that not many people know?

I’ve participated in a seven day, 545-mile charity bike ride for HIV/AIDS awareness twice as a cyclist and once as a roadie.

The bike ride is from San Francisco to Los Angeles (the AIDS/LifeCycle), requiring each cyclist to raise a minimum of $3,000. As I was training for the ride, I met and fell in love with my (now) wife. 

What do you do in your current role

On behalf of the Thomson Reuters Institute (TRI), I lead content and multi-media activities to highlight solutions to some of the world’s most pressing risk, regulatory compliance and public and private sector challenges including anti-money laundering (AML) and e-commerce fraud.

As a thought leader, I frequently write, speak and contribute as a co-host to a Thomson Reuters-branded podcast, talking about the latest fraud and financial crime trends. 

What does your career trajectory in financial crime look like?

I will continue to learn and grow, likely moving towards a formal financial crime certification and hopefully into more work in the public sphere such as more robust appearances on Reuters TV appearances and other outlets.  

What is the best advice you have ever received?

A former supervisor once told me, make yourself indispensable to your organization.

Be the best at what you do. Know your craft well and excel in it. Reputation is everything. If you damage it, it can take a lifetime to regain. But if you always act with integrity and fairness, no matter whom you are dealing with, you will succeed and thrive. 

What would you say are the most important attributes for someone in your position to succeed?

First, you must enjoy keeping up with the news. I am a news junkie and love staying abreast of current events which helps to better inform my work.

Another key attribute in my role is the ability to convey complex ideas into simple concepts. That isn’t always easy because I am challenged with explaining intricate financial crime schemes. But the challenge is fun and rewarding.

Because I am in such a public-facing role for Thomson Reuters, the ability to speak well on camera and at live events is also crucial.

As I mentioned, I started my career as a prosecutor in a courtroom, having to convince 12 (sometimes) angry people, that my case was worth listening to and that I wasn’t wasting their time. That requires countless hours of training and performance skills.

Later, I learned more about podcasts and what it means to have a “radio” speaking voice while at NPR. Everything I have done has prepared me for my role as one of the faces of Thomson Reuters Thought Leadership.  

How has (compliance, investigations, etc.) changed and evolved during your career?

A lot has changed since I became an attorney in 2006. Technology has rapidly evolved for monitoring and detecting financial crimes including things like risk scoring and automating Know Your Customer (KYC) processes.

Also, courtroom technology has changed to much more advanced technology-based evidence presentations.  

What do you see as the key financial crime challenges in your role or in the sector overall?

The biggest challenges are identifying and stopping international criminal groups, particularly related to cyberattacks and data security breaches.

We saw the recent unemployment fraud scam, reported to have been committed by a Nigerian criminal ring using data stolen during one of the many large corporate breaches. Those types of actors and actions keep me up at night. 

What motivated you to become a financial crime compliance professional?

As a child, I always had an ingrained sense of justice and the rule of law.

When I was about seven or eight years old, I would make my family sit on the couch and pretend to play “courtroom” with me. My grandmother was regularly found not guilty, but my stuffed animals usually received “life in prison.” (Hey, as an only child you must be creative!)

I knew from a very young age I wanted to be a criminal prosecutor, tackling some of the worst crimes both against persons but also financial crimes.

As a child growing up in the 1980’s, I didn’t see many attorneys that looked like me and I wanted to know why. It is incredibly important that we have diverse voices in courtrooms, in boardrooms and in classrooms. 

Later, when I joined Thomson Reuters, I landed my dream job, following and reporting on financial crimes trends, and now as a co-host to our branded Thomson Reuters Market Insights podcast series.  

Is there anything that surprised you about your current role?

Yes, I was really shocked to dig in and learn how prevalent money laundering and financial crimes are in many of the cases we hear about on television or on the news.

Money laundering seems to make the criminal world go around. From Roy Cohn to Bernie Madoff to Jeffrey Epstein, financial crimes are a cornerstone of most purely non-violent crimes (and many violent crimes). 

How did you get your first job in the field and what advice would you give other job seekers to help land their first position?

It started in law school. I always knew I wanted to be a prosecutor and did everything I could to gear all my training and experience to best position myself to become a litigator.

Upon graduation from law school, I received dual certificates in litigation and criminal law.

My first job out of college was at the district attorney’s office as a prosecutor. After my time in criminal law, I went into journalism and further honed my speaking and writing skills to which led me to Thomson Reuters.  

My advice to other job seekers is that whatever career path you seek, learn as much as you can about it before going in.

Speak to people in the field, find out what their days look like. Do they spend most of their time at a desk or traveling?

Do they need to live near a major city, or can they conduct their jobs remotely?

Do the persons who have the jobs you are interested have a certain degree or field experience?

Can you join an association (like ACFCS) and network to meet others in financial crimes investigations? 

What is the most rewarding part of your job?

The most rewarding part of my job is that I get to do what I love every day: read, research, and help educate legal, corporate and financial crimes professionals about the latest crime trends.

I’ve made some close friendships as a result of fostering relationships and networking, other people who are passionate about fighting financial crime and working for the common good. 

For professionals with 5-10 years of experience, what advice would you give to help them rise in their careers to the next level?

My advice to professionals with 5-10 years’ experience is think about where you want to go in your career.

If there is a specific job title or role you are interested in, start doing your research and find out the background of people who hold those roles. Then begin the process of networking and getting to know them.

I absolutely love networking and talking to others about their training and experience.

If you are passionate about combatting financial crime and fraud, these are great ways to start conversations. Maybe you heard someone speak on a webinar and want to follow up. Great conversation starters.

Also, if you have the opportunity to write a blog post for a well-read outlet, that is another way of getting your name and brand out into the ecosystem. 

Leak of thousands of FinCEN SARs reveals large international banks still struggling on AML, serving illicit gatekeepers, corrupt powerbrokers, terror groups: ICIJ report

The Skinny:

  • The highly-anticipated leak of sensitive, suspicious filings by the U.S. Treasury’s top counter-crime compliance body has turned into a deluge, a watershed moment for investigative journalism, but a dark damnation of the banking sector’s cumulative efforts to stop the illicit, the corrupt and the chaos bringers.
  • The International Consortium of Investigative Journalists (ICIJ) – the same group behind the Panama Papers, Paradise Papers and other seminal reports – Sunday broke its latest piece, reportedly revealing that the biggest banks in the United States, United Kingdom, Europe and other regions moved trillions of dollars for a criminal cabal of all stripes.
  • The media reports were based on thousands of leaked suspicious activity reports (SARs) filed by banks and other financial firms as part of their AML compliance program requirements with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN).
  • The stories by the ICIJ, Buzzfeed and other partner media groups also represent their most direct condemnation against the cumulative efforts of the current frontline vanguard of the fight against financial crime: the anti-money laundering (AML) compliance teams working at large global banks.
  • In all, ICIJ stated the cache of “documents identify more than $2 trillion in transactions between 1999 and 2017 that were flagged by financial institutions’ internal compliance officers as possible money laundering or other criminal activity — including $514 billion at JPMorgan and $1.3 trillion at Deutsche Bank.”
  • The records “show that five global banks — JPMorgan, HSBC, Standard Chartered Bank, Deutsche Bank and Bank of New York Mellon — kept profiting from powerful and dangerous players.”
  • Moreover, these high-risk engagements seemingly continued even after many of these banks paid hundreds of millions – and even billions of dollars – in fines for broad and longstanding AML and sanctions failures and continued as internal compliance teams raised a litany of concerns about loudly waving red flags, the ICIJ wrote. 

By Brian Monroe
bmonroe@acfcs.org
September 20, 2020

The dam has broken.

The highly-anticipated leak of sensitive, suspicious filings by the U.S. Treasury’s top counter-crime compliance body has turned into a deluge, a watershed moment for investigative journalism, but a dark damnation of the banking sector’s cumulative efforts to stop the illicit, the corrupt and the chaos bringers.

The International Consortium of Investigative Journalists (ICIJ) – the same group behind the Panama Papers, Paradise Papers and other seminal reports – Sunday broke its latest piece, reportedly revealing that the biggest banks in the United States, United Kingdom, Europe and other regions moved trillions of dollars for a criminal cabal of all stripes.

The stories by the ICIJ, Buzzfeed and other partner media groups also represent their most direct condemnation against the cumulative efforts of the current frontline vanguard of the fight against financial crime: the anti-money laundering (AML) compliance teams working at large global banks.

To read the full series, click here.  

To get a snapshot of the stories published by the ICIJ and other news agencies aggregated by AML fincrime professional Dev Odedra at The Laundry News, click here.

In all, an ICIJ analysis found, the “documents identify more than $2 trillion in transactions between 1999 and 2017 that were flagged by financial institutions’ internal compliance officers as possible money laundering or other criminal activity — including $514 billion at JPMorgan and $1.3 trillion at Deutsche Bank.”

The records “show that five global banks — JPMorgan, HSBC, Standard Chartered Bank, Deutsche Bank and Bank of New York Mellon — kept profiting from powerful and dangerous players.”

Moreover, these high-risk engagements seemingly continued even after many of these banks paid hundreds of millions – and even billions of dollars – in fines for broad and longstanding AML and sanctions failures and continued as internal compliance teams raised a litany of concerns about loudly waving red flags, the ICIJ wrote.

The media reports were based on thousands of leaked suspicious activity reports (SARs) filed by banks and other financial firms as part of their AML compliance program requirements with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN).

Under-resourced, overwhelmed and late to the party

Even with banks working in recent years to bolster “efficiency and effectiveness” and improve a “tone at the top” while fostering a “culture of compliance,” the ICIJ reports detail an AML system at many banks with woefully inadequate resources and simply overwhelmed by the sheer sums of potentially suspicious funds flowing through their institutions.

In essence, there are simply too many alerts from transaction monitoring systems – even as institutions embrace new technologies like artificial intelligence, machine learning and automation – to give these potential pings of impropriety proper depth of investigative focus.

The ratio of alerts to analysts is untenable – a common theme and familiar refrain in recent years in federal regulatory AML enforcement actions and monetary penalties.

This was borne out in the ICIJ reporting with examples of SARs that had taken months or years to get filed – even though these filings have 30-day and 60-day deadlines.

“The SARs also showed that banks often moved funds for companies that were registered in offshore havens, such as the British Virgin Islands, and did not know the ultimate owner of the account,” the report said, according to Reuters.

Investigative teams often used Google to determine risk and beneficial ownership details tied to large, risky transactions, according to the report.

What types of risky transactions, later linked to illicit entities?

“Funds processed by JPMorgan for potentially corrupt individuals and companies in Venezuela, Ukraine and Malaysia; money from a Ponzi scheme moving through HSBC; and money linked to a Ukrainian billionaire processed by Deutsche Bank,” Reuters noted.

In statements to ICIJ and on their websites, many of the banks mentioned by name in the leak have countered that the SARs and alleged activity are tied to historical gaps that have since been addressed and improved and that while the reports may paint these institutions as compliance pariahs, they are in fact, staunch and steadfast law enforcement allies.

The leaked documents, referred to as the FinCEN Files, include more than 2,100 SARs filed by banks and other financial firms with the U.S. Department of Treasury’s Financial Crimes Enforcement Network.

BuzzFeed News obtained the records and shared them with the International Consortium of Investigative Journalists. ICIJ organized a team of more than 400 journalists from 110 news organizations in 88 countries to investigate the world of banks and money laundering.

FinCEN frontran leak with pledge to retool U.S. AML regime

While the leak is dominating headlines, FinCEN just last week had stated that the U.S. AML regime will be changing – radically, with an eye toward better balancing risks, resources and results.

FinCEN stated it is engaging in a broad overhaul of the country’s financial crime compliance defenses, shifting more toward creating “effective and reasonably designed” programs that produce filings with a “high degree of usefulness” to law enforcement – even though the term “effectiveness” has no “consistent definition” in current rules.

In tandem, FinCEN also querying sectors subject to AML rules to determine if they could better manage risks, resources and threat actors if the bureau created national AML priorities.

Creating nation-wide financial crime and compliance priorities would be a herculean effort, but would be underpinned and informed by other national illicit finance, proliferation and terror risk assessments already being created as part of international oversite body recommendations.

Part and parcel of the proposal would also be to more concretely graft a longstanding compliance best practice and federal regulatory exam flashpoint into formal rules: the AML risk assessment, according to an advanced notice of proposed rulemaking (ANPR).

To read the full notice in the Federal Register published Wednesday, click here.

To read ACFCS coverage of the announcement, click here.

New ‘priorities’ to better manage evolving AML risks

Under the update, FinCEN’s bi-annual “Strategic Anti-Money Laundering Priorities” would inform bank AML risk assessments.

The tacit logic: banks would better be able to marshal technology and investigator capabilities and limited capacities to address rising risks, evolving criminal threat tactics and address more immediate law enforcement intelligence needs.

The FinCEN updates to AML objectives and effectiveness are not occurring in a vacuum.

The moves are informed by overarching efforts by global watchdog and private sector groups to prioritize “effectiveness” over technical compliance, at both the country, law enforcement and financial institutions levels, including the Paris-based Financial Action Task Force (FATF), the Wolfsberg Group, the Egmont Group of Financial Intelligence Units (FIUs) and others.

In all, the updates cover “developing and focusing on AML priorities, reallocation of compliance resources, modernizing monitoring and reporting, information sharing, regulatory innovations, and for the first time ever, issuing national AML priorities and defining an effective AML program,” said a top fincrime compliance professional at a large U.S. bank.

“If these become regulations, they would make our AML regime more efficient and effective, produce more useful information for law enforcement, and better protect our financial system from criminals.”

In FinCEN leak aftershocks, fear to file in breach of confidentiality

In an ignoble irony, while FinCEN publicly touts what could be powerful changes to AML to truly help banks, ameliorate regulators and arm law enforcement to truly target and cripple the mega launderers, narco kingpins, graft-gilt political powermongers and terror cells, the leak could cause institutions to be gun-shy when filing SARs.

FinCEN noted the seriousness of the leak in a statement earlier this month tied to impending ICIJ report.

FinCEN holds millions upon millions of filings from banks tied to AML reporting rules tied to what banks consider potential indicators of illicit activity, typically more than $5,000, and direct or aggregated deposits of more than $10,000, called currency transaction reports (CTRs).

FinCEN stated it “is aware that various media outlets intend to publish a series of articles based on unlawfully disclosed” SARs, as well as “other sensitive government documents, from several years ago.” 

The unauthorized disclosure of SARs is a “crime that can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports,” FinCEN said in the statement. 

FinCEN has already referred matter to federal investigative agencies, including the U.S. Department of Justice and the U.S. Department of the Treasury’s Office of Inspector General.

To read the full statement, please click here

To read ACFCS coverage and a preview of the leak, click here.

In insider ‘whistleblower’ breach, a preview of larger leak to come

FinCEN in the last two years has already had a high-profile case of SARs being leaked to the media.

In January, a senior Treasury Department official pleaded guilty to leaking confidential financial reports, after being charged with disclosing information related to Russia and the President’s associates.

Natalie Mayflower Sours Edwards, a senior adviser at FinCEN, entered a guilty plea to one count of conspiracy. She faces between zero and six months in prison as part of the deal.

In an 18-page criminal complaint, authorities detailed nearly a dozen stories published by news site, BuzzFeed, over the course of a year where Edwards served as a secret source.

She allegedly handed over specific details on individuals and related financial transactions, which potentially revealed monetary support for Russian meddling during the 2016 presidential campaign.

She originally stated she viewed herself as a whistleblower and even believed her actions would be protected.

The apparent goal was to uncover concrete financial linkages between these Russian activities and associates of President Donald Trump, including now convicted felon Paul Manafort, his former campaign manager, Paul Gates, the Russian embassy, and others.

It was no surprise someone — in this case Edwards — made the connection that if there were illicit details to be had in the Russia probe, they could be buried somewhere in the terabytes of data housed in FinCEN’s AML database. 

FinCEN is the main repository for this information.

Could law enforcement investigations take a hit after FinCEN files leak?

Having so many filings in one place allows bureau analysts to engage in proactive investigations to uncover large-scale criminal trends.

FinCEN then shares those details with banks and other government agencies with purview over investigating and taking down criminal and terror networks and defending the nation against foreign and domestic threats.

The database is also a trusted resource for virtually every major federal investigative agency – and many state and local law enforcement offices.

Beyond FinCEN sharing the results of its own database analyses, federal and state investigators have remote access to the FinCEN database directly to query for details to form the foundation of a case or attempt to break new ground in current investigations related to companies, individuals, regions and more.

Moreover, while several government agents in recent years – typically those involved in national security – have been arrested and sentenced for improperly handling classified information, the FinCEN case is an anomaly.

For a FinCEN analyst to be sanctioned for mining the database to allegedly get dirt on political foes, then steal the data itself, possibly targeting even the current U.S. president, is exceedingly rare.

But for those in AML compliance and investigative circles, this situation – along with a few others – was always a “worst case scenario” waiting to happen.

An insider SAR leak is bad. An external breach worse. Data destruction, the worst.  

Here are two other situations FinCEN is doing its best to guard against: what would happen if a criminal hacker, through stealing the login credentials of a database user or abusing a software vulnerability, gained access to the database and downloaded all or some of the information?

They could then sell those details to the highest bidder among a cabal of illicit groups so that criminal groups could know what every bank has on them, and potentially every past or current government investigation – crippling who knows how many ongoing cases.

But even as bad as that could be, there is one involving FinCEN that would likely be considered the most feared of all: full or partial data destruction.

How?

What if a hacker gained access to the database itself and rather than trying to steal or download it, introduced a virus or other insidious piece of malware that destroyed some or all of the data altogether? 

Such move would broadly hamstring many domestic and international, complex financial crime cases.

That’s because there are so many agencies around that world that rely on details in the FinCEN database to initiate and strengthen cases and pull together seemingly disparate sources of information to crack the diffuse, hidden trails of savvy organized criminal groups who are actively trying to mask their touchpoints with the formal financial system. 

Are SAR safe harbors, sharing protections also irrevocably broken?

What is also unclear now is if FinCEN is still protected by civil and other lawsuits tied to SARs now that they are out in the open.

Jilted businesses that feel they are put in a bad light, jaded investors upset how a SAR made them look and others could start suing banks named in the ICIJ investigation.

Typically, SARs filed through proper channels have broad protections and sharing safe harbors under Patriot Act Sections 314(a) – law enforcement querying and sharing information on individuals suspected of money laundering – and 314(b), which allows banks to share information with each other on entities potentially tied to financial crime.

If somehow a person finds out about a SAR filed on them and tries to sue in court, these protections prevent defense attorneys getting access to these filings.

But now that the SARs were not shared from law enforcement or between banks, it could open the door to legal fusillades without institutions able to wield the safe harbor shield that had kept them safe for nearly two decades – a further erosion of the formerly confidential and sacrosanct SAR filing regime. 

FinCEN pushing massive overhaul of AML regime to better achieve, define effectiveness, produce better intel for law enforcement

The Skinny:

  • The U.S. Treasury’s  Financial Crimes Enforcement Network (FinCEN) is engaging in a broad overhaul of the country’s financial crime compliance defenses, shifting more toward creating “effective and reasonably designed” programs that produce filings with a “high degree of usefulness” to law enforcement – even though the term has no “consistent definition” in current rules.
  • FinCEN is also querying stakeholders to glean if they could better manage risks, resources and threat actors if the bureau created national anti-money laundering (AML) priorities, a herculean effort informed by other national illicit finance, proliferation and terror risk assessments.
  • Part and parcel of the proposal would also be to more concretely graft a longstanding compliance best practice and federal regulatory exam flashpoint into formal rules: the AML risk assessment, according to an advanced notice of proposed rulemaking (ANPR).
  • The updates are informed by overarching efforts by global watchdog and private sector groups to prioritize “effectiveness” over technical compliance, at both the country, law enforcement and financial institutions levels, including the Paris-based Financial Action Task Force (FATF), the Wolfsberg Group, the Egmont Group of Financial Intelligence Units (FIUs) and others.
  • In all, the updates cover “developing and focusing on AML priorities, reallocation of compliance resources, modernizing monitoring and reporting, information sharing, regulatory innovations, and for the first time ever, issuing national AML priorities and defining an effective AML program,” said a top fincrime compliance professional at a large U.S. bank.

By Brian Monroe
bmonroe@acfcs.org
September 16, 2020

The U.S. Treasury is engaging in a broad overhaul of the country’s financial crime compliance defenses, shifting more toward creating “effective and reasonably designed” programs that produce filings with a “high degree of usefulness” to law enforcement – even though the term has no “consistent definition” in current rules.

The Financial Crimes Enforcement Network (FinCEN) is also querying stakeholders to glean if they could better manage risks, resources and threat actors if the bureau created national anti-money laundering (AML) priorities, a herculean effort informed by other national illicit finance, proliferation and terror risk assessments.

Part and parcel of the proposal would also be to more concretely graft a longstanding compliance best practice and federal regulatory exam flashpoint into formal rules: the AML risk assessment, according to an advanced notice of proposed rulemaking (ANPR).

To read the full notice in the Federal Register published Wednesday, click here.

Under the update, FinCEN’s bi-annual “Strategic Anti-Money Laundering Priorities” would inform the now formalized financial institution risk assessments, with the logic being banks would better be able to marshal technology and investigator capabilities to address rising risks, criminal threat tactics and law enforcement intelligence needs.

The updates are informed by overarching efforts by global watchdog and private sector groups to prioritize “effectiveness” over technical compliance, at both the country, law enforcement and financial institutions levels, including the Paris-based Financial Action Task Force (FATF), the Wolfsberg Group, the Egmont Group of Financial Intelligence Units (FIUs) and others.

In all, the updates cover “developing and focusing on AML priorities, reallocation of compliance resources, modernizing monitoring and reporting, information sharing, regulatory innovations, and for the first time ever, issuing national AML priorities and defining an effective AML program,” said a top fincrime compliance professional at a large U.S. bank.

“If these become regulations, they would make our AML regime more efficient and effective, produce more useful information for law enforcement, and better protect our financial system from criminals.”

Being effective on effectiveness: a lofty, but ill-defined objective

Increasing the “effectiveness” of the national AML regime “is a core objective of recent AML modernization efforts,” FinCEN stated in the proposed rulemaking, noting however that the term is bandied about with little in the way of bright line, reviewable or auditable boundaries.

“This term often refers to the implementation and maintenance of a compliant AML program, but has no specific, consistent definition in existing regulation.”

The potential regulatory amendments described in the ANPRM would make clear that an “effective and reasonably designed” program is one that: 

  • Internal, external risk assessment considerations: assesses and manages risk as informed by a financial institution’s own risk assessment process, including consideration of AML priorities to be issued by FinCEN consistent with the proposed amendments,
  • Don’t forget the AML compliance basics: provides for compliance with Bank Secrecy Act (BSA) requirements, and
  • Practical, tactical filings: provides for the reporting of information with a high degree of usefulness to government authorities. 

The current big unknown, however, is how federal regulators and will support such a tectonic shift in focus for bank AML teams.

As well, in that same vein, a second interlinked vaguery: how could examiners on the ground grade “effectiveness” for individual AML program components or outputs, such as suspicious activity reports (SARs) or keeping accounts open for investigations, without getting input from those selfsame law enforcement agencies banks are trying to better serve.

“The key is the proposed addition of determining a program’s effectiveness by whether it provides government agencies with reports that have a ‘high degree of usefulness,’” said Jim Richards, the former head of AML at Wells Fargo.  

“This would be a game changer: in 20 years as a BSA Officer, I never had an examiner ask if the SARs we filed were ‘useful’ to law enforcement…which is the very reason why we have an AML regime,” he said.

“But the next big question is this: how do we measure ‘a high degree of usefulness?’ Only law enforcement can make that determination.”

Richards has also written extensively about the need for “TSV SARs” – Tactical or Strategic Value SARs,” a move that would better parse out higher priority reports that must be reviewed and acted upon quickly.

If these changes come to pass, not only would banks need to produce such TSV SARs, they would likely need law enforcement feedback on the value of these SARs – and others – that investigative agencies found vital in actual cases to later prove “effectiveness” to examiners.

Prioritizing ‘effective outputs over auditable processes’

FinCEN stated much of the changes came from discussions with industry, including compliance professionals, regulators, investigators and other thought leaders part of the Bank Secrecy Act Advisory Group (BSAAG), going on as part of a subcommittee since mid-2019, dubbed the Anti-Money-Laundering Effectiveness Working Group (AMLE WG).

The tactic conclusions: regulators need to allow financial institutions subject to AML duties to “place greater emphasis on providing information with a high degree of usefulness to government authorities based on national AML priorities, in order to promote effective outputs over auditable processes,” FinCEN stated in a related release Wednesday.

The AMLE WG recommended that the relevant government agencies consider:

  • Publishing a regulatory definition of AML program effectiveness;
  • Developing and communicating national AML priorities as set by government authorities; and
  • Issuing clarifying guidance for financial institutions on the elements of an effective AML program.

How to free up AML analyst resources? Refine reviews of PEPs, negative news

The BSAAG also touched on other nebulous areas of AML that can eat up bank monitoring, analyst and investigator resources, noting that regulators should sharpen their expectations around the depth and breadth of scrutiny tied negative news on clients or those who are, or were, considered politically exposed persons (PEPs).

At issue is that if banks are constantly scouring the Internet, public and bespoke databases for news that may or may not raise the risk of certain customers, such efforts can draw significant AML resources, with few results.

Similarly, if banks must consider all PEPs – foreign and domestic – as high risk, along with relatives and close associates, these are groups that will tuned more closely in transaction monitoring systems and be generating significantly more alerts than other customers, again, siphoning sparse investigative resources.

The updates also touched on the power and promise of new technologies, like artificial intelligence, to amplify and augment human experience in investigations and better public-private information sharing across government agencies and banks – including foreign affiliates, a long sought carve out for large, international financial services groups.

Some of the suggestions from the working group included:

  • Retooling risk assessments, negative news dives: Clarifying current requirements and supervisory expectations with respect to risk assessments, negative media searches, customer risk categories, and initial and ongoing customer due diligence; and
  • Managing PEPs, models: Revising existing guidance or regulations in areas such as Politically Exposed Persons and the application of existing model-risk-management guidance to AML systems, in order to improve clarity, effectiveness, and compliance.
  • How far to SAR, keep open accounts for law enforcement: Clarifying expectations and updating practices for keep-open letters and suspicious activity monitoring, investigation, and reporting, including SARs based on grand jury subpoenas or negative media; and
  • Innovation, automation to streamline filings: Supporting potential automation opportunities for high-frequency/low-complexity SARs and currency transaction reports (CTRs), and exploring the possibility of streamlined SARs on continuing activity. Engaging new technologies like artificial intelligence and machine learning to improve the alerts generated by transaction monitoring systems, drop false positives, connecting data on larger groups and further freeing up analysts resources.  
  • Information sharing, PPPs: Forming a BSAAG-established working group with members from law enforcement agencies, regulators, and financial institutions to identify, prioritize, and recommend national AML priorities and advise on opportunities to communicate typologies, red flags, and other information related to national AML priorities;
  • Information sharing, foreign affiliates: Leveraging existing information-sharing initiatives between the public and private sectors, including enhanced use of the BSA’s information sharing provisions, sections 314(a) and (b) of the USA PATRIOT Act, and sharing with foreign affiliates and global institutions, as appropriate; and
  • Finally, what we have all been waiting for, feedback on SAR quality, utility: Assessing options for FinCEN and law enforcement agencies to provide more feedback to financial institutions related to the use and utility of BSA reports.

The goal? To ‘update and modernize the AML regime’

The combined changes, according to FinCEN, hold the potential to help institutions better detect and prevent all areas of financial crime, guided by the investigative agencies the banks are trying to create rich, relevant and timely intelligence for – while at the same time keeping examiner criticism at bay.

“The overall goal of these initiatives is to upgrade and modernize the national AML regime,” FinCEN stated, while at the same time fostering regulators and banks to adapt and adopt new, innovative techniques to counter criminals and their trillions of dollars in illicit finance.

The updates will help both sides further “leverage new technologies and risk-management techniques, share information, discard inefficient and unnecessary practices, and focus resources on fulfilling the BSA’s stated purpose of providing information with a high degree of usefulness to government authorities.”

Think like a criminal, act like an investigator: Key takeaways on how to fight illicit finance from a chat with ACFCS Dutch chapter members Ruth Post and Owen Strijland

The Skinny:

  • In some cases, to fight crime and create stout compliance defenses, you need to think like a criminal to identify and report on their illicit schemes.
  • But the dedicated financial crime compliance team can’t do it alone. Financial institutions need to turn classic anti-money laundering (AML) foils into allies by extending broad spectrum training to the business line, frontline and even tellers.
  • Even so, no one has solved financial crime. Even the most tech-savvy and experienced AML, counter-fraud and corruption teams can have failings. However, in every stumble and misstep is a chance to learn and grow – if individuals and institutions have the courage to share what has and hasn’t worked, even before regulators come knocking.
  • Those are just some of the key takeaways from a rousing chat between ACFCS Dutch chapter members Ruth Post and Owen Strijland, covering the topics of financial crime and compliance, criminal vulnerabilities, regulatory focal points and program gaps.
  • The ACFCS Dutch Chapter also looked at some of the EU AML scandals and issues in and out of banks that can make compliance difficult on the “Fintech and FinCrime in Europe” session, a panel from ACFCS Fincrime Virtual Week, the association’s first-ever fully online fincrime compliance conference that took place last month.

By Brian Monroe
bmonroe@acfcs.org
September 10, 2020

The debate about how to best counter the burgeoning illicit finances of criminals – organized criminal groups, corrupt oligarchs, human traffickers and their money laundering machines – has only intensified in recent years as more jurisdictions wrestle with the challenges of creating, implementing and enforcing compliance defenses.

One of the biggest hurdles in the anti-money laundering (AML) programs created by financial institutions in actually identifying and reporting on large-scale fraud and financial crime networks is the interlinked irony of having to please regulators.

The tension: not missing anything that examiners could deem “suspicious,” while doing a thorough enough investigation to create rich, relevant and timely intelligence for law enforcement.

So what are some tactics to balance regulatory expectations and law enforcement needs?

Try to better learn how criminals “misuse systems, technology, or people,” and adapt and adjust AML programs to better harness resources toward actual rising illicit risks and trends by threat actors.

At the same time, don’t save all the expansive – and yes, sometimes expensive – compliance training for your AML, fraud and anti-bribery and anti-corruption teams. 

Push the front line of the fight more forcefully to your frontline, empowering business line managers and even tellers with knowledge to think for themselves. 

The goal: turning fincrime foils and historical weak points at the most distant nerve endings of an organization into centers of compliance excellence.  

Those are just some of the takeaways from a chat about fincrime vulnerabilities and regulatory focal points between Ruth Post, Director of Privacy and Compliance at LeasePlan, and Owen Strijland, Fintech Director at Protiviti.

They are also chairs of the Amsterdam Chapter of the Association of Certified Financial Crime Specialists (ACFCS).

Owen and Ruth met for an open interview, where they asked each other about financial economic crime.

Together they explored topics such as intrinsic motivation, the importance of a strong first line at financial institutions and the value of knowledge sharing and transparency.

They also talked about the importance of financial crime compliance professionals learning from their mistakes – even though many individuals and institutions are reticent to admit to internal friction or regulatory stumbles that have not been made public.

But it’s exactly that kind of honesty, openness and, yes, courage, that is needed for the community to learn and bring all institutions up to the same level of expertise, a move that holds the potential to both allay examiner concerns and live up to law enforcement ideals. 

Here is an edited version of that conversation: 

To better fight criminals, learn to think like one

Ruth: Let me kick off with a question about intrinsic motivation. What is your drive to fight financial economic crime?

Owen: What has always fascinated me about financial crime is that in hindsight it always seems like it could have been prevented.

The better we learn how criminals misuse systems, technology, or people, the better we can prevent it. I almost have a childlike curiosity on how financial crimes can take place and on how they can be prevented.

Ruth: And besides your curiosity, do you also do your work out of a sense of justice?

Owen: I do not tolerate injustice. Particularly when it comes to crime involving the abuse of vulnerable people. The impact for the victim can be huge.

Therefore, I find it very interesting to look at the money flows from the criminally obtained funds.

For example, WhatsApp fraud, theft or extortion, the money always flows back into economic system. There are countless parties who unconsciously facilitate this or look the other way.  

As a society, there still is much to gain on this matter. What about your drive?

Ruth: I am convinced that people do good by nature, but from a psychological perspective I am intrigued by the (external) circumstances that cause people to behave dishonestly.

The question [of] why people turn to criminal activities intrigues me. I also have a great sense of justice. As the CCO of LeasePlan, I can do something about financial crime, which motivates me to continue the fight against financial crime.  

Owen: How does the fight against crime manifest itself in your daily work?

Ruth: It is sometimes difficult to make that tangible. I work for a large institution and because of all the imposed laws and regulations of various supervisors and governmental bodies, it feels like you are a bit distant from the actual crime fight.

Across the board, there is too much focus on tick-in-the-box exercises and too little on the actual underlying problem.

To outwit and outfox a criminal, think outside the (tick) box

Owen: What would have to change to reduce that bureaucratic burden?

Ruth: It is of course important that there are laws and regulations to enforce the financial world in the fight against financial crime. These regulations enforce that companies have robust programs in place to combat financial crime.

However, I think we can overcome a lot of challenges if we adopt a more multidisciplinary approach.

I am not only referring to better cooperation between the financial institutions, the FIU, the police, the Public Prosecution Service and the tax authorities, but also to the cooperation within financial institutions between the first and second line and the interaction with customers and suppliers.

We must work together to ensure that people working in sales, procurement or other people involved in the chain (e.g. car dealers and garages in our case) are aware of potential financial crimes, understand the context and appropriately act upon it.

Creating awareness and training is key.

Moving the front line of the fight to the frontline

Owen: What does it take to get the first line of defence within financial institutions to the desired level?

Ruth: I immediately think of a picture I once saw in college as a law student. The picture was an optical illusion as you could either see a young or an elder woman in the picture, but never both at the same time.  

It is a matter of perspective which image you take in. It is evident that sometimes people need help to see the full picture – to show them that something else can also be seen if you just focus on it.

This also applies to financial crime. If you do not know what you are looking for or if you are not primarily focused on detecting crime, you will not see it quickly.

That is why it is important that we help the first-line of our organizations to recognize crime as well.

Owen: We also should not forget that the role of the first line has been changed over the last couple of decades.

For example, if you wanted to process a payment of 20,000 guilders, you performed that transaction physically at your local bank office. The bank teller would probably know you and your transaction behaviour, which also made unusual behaviour more noticeable.

Today, first-line contact has often been replaced by apps or systems, leading to the loss of social control.

The financial institutions that I visit now have an army of people in the second line who perform retrospective checks on newly acquired customers or payments.

What would happen if you put these people back to the front line for extra customer contact moments? Could humans support the front-line controls by creating a more pro-active approach in recognizing financial crimes?

The power of AI: Reaction, monitoring, prevention

Ruth: Are there any technological developments that can replace the human aspect in the first line of defence control activities?

Owen: There have been many developments in recent years to facilitate fast payments, such as instant payments technology.

However, I still see few algorithms emerging (in the first line of defence) that offer preventive protection. Of course, we will soon be able to do all kinds of things with machine learning and Artificial Intelligence, but that is not the case, or at least not yet.

Of course, there have been many developments in the monitoring models in the second line, but this is on a detective basis. I would like financial institutions to focus more on smart crime prevention, rather than smart monitoring.

Ruth: I also strongly believe in the value of prevention. Whether it concerns vulnerable young people who are recruited as money mules, or elderly people who are victims of WhatsApp fraud, the government and financial service providers have to play a more important role in creating social awareness to prevent crime.

Owen: I also believe that there should be an increased duty of care for financial services to protect vulnerable groups from criminal behaviour.

For example, this duty of care already exists when taking out mortgages. Why not also a mandatory duty of care or communication when taking out a bank account or other financial product?

Is the key to compliance to examine for kindness in a ‘duty of care?’

Ruth: Installing duty of care would imply more strict regulation from the regulator. What are other possible measures the regulator could adopt to facilitate better crime prevention?

Owen: What I often miss is the openness about financial crime. I find that often only the outcomes of the studies are shared, while the underlying root causes underlying remains under-reported.

I believe that the supervisor should be able to demand full disclosure in such cases.

For example, legislation on data breaches is much clearer. In the event of a data breach, you must legally provide full disclosure: what data has been leaked? Who owns this data? What is the cause of the data breach?

I would like to demand the same for financial crime. They should provide information about the parties involved, how the fraud took place and whether the victims have been compensated. Only then can we learn from each other.

Ruth: I also see that there is insufficient attention for the root-cause analysis. The underlying reasons that cause things to go wrong are often not very tangible.  

For example, a lack of trust in an office environment is one of the most recurring root causes. Certain forms of crime can easily be repeated if the internal root cause is not identified and resolved.

Owen: Another example which I have encountered was a financial institution where management facilitated insider trading by temporarily shutting down controls. This headline was in all the papers, of course, but I have not heard from anyone about the underlying cause of this problem. How could this have been prevented?

Ruth: It is not always possible to share everything “out in the open” in due to legal liabilities, but I agree that we should be more open about our failures.

It is therefore one of the important pillars of ACFCS to create an open environment in which we can share best and bad practices.

Is sharing caring when the fincrime tale is a program fail?

How do you think we can motivate the “financial crime community” to share their failures?

Owen: ACFCS is a platform where openness and knowledge sharing are at the top of the agenda.

In addition, we have also said that members can only register with ACFCS if they share something themselves. Although this sounds a bit harsh, it does reflect our vision about transparency and knowledge sharing.

Ruth: Speaking of sharing: I started an internal column within LeasePlan where I share real life crime cases.

For example, the newspaper recently reported that several young criminals had been caught in connection with renting cars to criminals. As a Lease company, I connected this news item to our daily reality.

I notice that these concrete cases resonate much better in the first line. It is my job to give them examples and tools to recognize and prevent financial crime.

Owen: I am also pleased to see that we have already found people from the industry willing to share their “mess-ups.”

I also think that we can measure the success of ACFCS by the amount of information we can disseminate about events that went wrong in the past and what we can learn from them.

Ruth: I also believe that it is interesting to look at the changing social norms surrounding financial crime from the ACFCS perspective.

For example, not too long-ago, bribes were business as usual in the construction world. The same goes for investments in the tobacco industry, or the changing social perception of cash money.

At some point we decide that we no longer find something acceptable. From the ACFCS community, we can study and discuss these standard changes together.

Owen: This is certainly important as legislation is always a few years behind reality. With certain things that we regard as very normal today, you may be on the front page of the newspaper in 10 years.

Fincrime trends: Payment diversity can equate to compliance complexity

Ruth: Sometimes we are indeed overtaken by reality. On another note, do you see any trends which complicate the fight against financial crime?

Owen: Absolutely, there is increasing diversification in payment methods.

For example, web shops using various payment service providers. The [Payment Services Directive] PSD2 regulations make the playing field even more complex because external parties will soon be allowed to initiate payments based on consent.

A prime example of the risk of diversification in payment methods is the recent hack on SWIFT, where a router could be hacked in an African country because it was poorly secured.

Because SWIFT payments were processed via this router, the hackers could easily obtain and adjust this payment information. Because more links are involved when executing payments, the vulnerability of a weak link is increased.

Ruth: Interesting. From a psychological perspective, the fight against financial crime is also complicated by personal biases. We regularly perform bribery and fraud risk assessments.

What always strikes me is that people tend to systematically estimate the risk of internal bribery and fraud much lower than the chance of external fraud and bribery. People view crime as something that comes in from the outside but are often blind to what is happening around them.

Owen: Nice to see how we approach certain themes in a completely different way.

As far as I am concerned, this is the added value of ACFCS: bringing different organizations and functions together. You will never succeed in completely preventing financial crime, but I do believe that you can achieve a better approach if you bring together as many insights as possible.

Ruth: I am really looking forward to it – the more insights and knowledge sharing, the better!

Ruth and Owen always enjoy talking about financial crime. 

The Dutch chapter also looked at some of the EU AML scandals and issues in and out of banks that can make compliance difficult on the “Fintech and FinCrime in Europe” session, a panel from ACFCS Fincrime Virtual Week, the association’s first-ever fully online fincrime compliance conference that took place last month.   

More than 5,600 attendees, speakers and thought leaders registered for the week-long event, which addressed the overarching themes of Disruption, Innovation and Resiliency.

In the panel focused on compliance and regulatory trends in the EU, speakers highlighted several key trends, including:

  • Regulators and prosecutors in Europe are trying to more aggressively tie egregious fraud and financial crime compliance failures to senior management and directors outside of compliance, including business line revenue agents, just as new financial crime compliance rules take hold.
  • In response, some banking groups have started to collapse silos in and outside the bank.
  • Compliance teams are banding together across institutions to share information on customers – including potentially risky and fraudulent individuals and entities – and interweave AML, fraud and cyber teams to better tackle crimes in a holistic, convergent manner.

To read the full story, click here.

Would you also like to share knowledge and experience and learn from other parties involved in financial crime?

You are welcome to register at www.acfcs.nl

Ruth Post is Director Privacy & Compliance, LeasePlan Corporation. LeasePlan is a leader in two large and growing markets: Car-as-a-Service for new cars, through its LeasePlan business, and the high-quality three-to-four-year-old used car market, through its CarNext.com business.

 LeasePlan has more than 1.9 million vehicles under management in over 30 countries and holds a banking licence. With over 50 years’ experience, LeasePlan’s mission is to provide what is next in sustainable mobility so our customers can focus on what is next for them.

For ten years Ruth worked at the Dutch Central Bank in different roles related to compliance, integrity & supervision, after which she was responsible for Compliance both at ABP and APG.  

Ruth holds a law degree and studied public administration.

Owen Strijland started his career in 1999 as a general ICT consultant in the Healthcare and Finance domain, through his roles as a Change Advisor to the Executive Board for a large insurance/ banking company.

 

In his role as manager Risk Management he came in contact with a variety of Compliance and Risk topics where Information Management, digitization and the Delivery of tangible results were always key.

 

For a global consultancy company, he has built a team of 40 risk professionals.

 

His experience and motivation to analyse opportunities, start up, create, and sell solutions, positively influences the group process to perform and get the best out of people.

 

Today Owen is responsible for the Fintech industry solutions for Protiviti Benelux and is manager of the Digital Delivery Hub.

 

His focus is on Technology, GRC, ERM and Operational Risk with a strong focus on Financial Crime management, his general business development responsibility is to make available all Protiviti services to the Fintech and Financial Services / Digital innovative organizations.  

 

Owen has a seat in the Dutch Management Team of Protiviti, and the Global Digital team.